CN117852027A - Industrial control system protection method, system and storage medium based on identity security - Google Patents
Industrial control system protection method, system and storage medium based on identity security Download PDFInfo
- Publication number
- CN117852027A CN117852027A CN202410033183.0A CN202410033183A CN117852027A CN 117852027 A CN117852027 A CN 117852027A CN 202410033183 A CN202410033183 A CN 202410033183A CN 117852027 A CN117852027 A CN 117852027A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- industrial
- control system
- security
- monitoring area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012544 monitoring process Methods 0.000 claims abstract description 130
- 239000000047 product Substances 0.000 claims description 69
- 239000013066 combination product Substances 0.000 claims description 19
- 229940127555 combination product Drugs 0.000 claims description 19
- 238000012550 audit Methods 0.000 claims description 18
- 238000007726 management method Methods 0.000 claims description 13
- 238000004364 calculation method Methods 0.000 claims description 7
- 238000000638 solvent extraction Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 9
- 238000004519 manufacturing process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000003044 adaptive effect Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Storage Device Security (AREA)
Abstract
The application relates to an industrial control system protection method, system and storage medium based on identity security, which belong to the technical field of industrial control system security protection, and comprise the steps of dividing an industrial control system into a plurality of monitoring areas according to security protection requests, wherein the monitoring areas at least comprise one basic device; calculating a total security score and a total risk score of the base equipment contained in the monitoring area; matching according to the total safety score and the total risk score to obtain an industrial control safety protection product combination corresponding to the monitoring area; and generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area. The application has the effect of improving the safety protection of the industrial control system.
Description
Technical Field
The application relates to the technical field of industrial control system safety protection, in particular to an industrial control system protection method, an industrial control system protection system and a storage medium based on identity safety.
Background
The industrial control system (industrial control systems, ICS) is a computer system for monitoring and controlling industrial processes, which is widely applied to industrial fields such as manufacturing industry, energy, water treatment, traffic and the like, realizes the automatic control of the industrial fields, and provides technical support for improving the working efficiency, safety and production quality of the industrial fields.
In order to ensure the safety of an industrial control system, an identity safety protection technology is usually introduced into the industrial control system, but the industrial control system is mainly designed to intelligently control a physically existing entity, and has the characteristics of old environment, low system performance, incapability of communicating with the Internet, no effective safety maintenance personnel and system and the like, so that the difficulty of applying the traditional identity safety protection technology such as static password authentication, smart card authentication, USBKey authentication, biological fingerprint authentication, iris authentication and the like to the industrial control system is high, and even the system cannot be applied to the industrial control system, so that the safety protection of the industrial control system is not ensured.
Disclosure of Invention
In order to solve the problem that the safety protection of an industrial control system cannot be guaranteed, the application provides an industrial control system protection method, an industrial control system protection system and a storage medium based on identity safety.
In a first aspect of the present application, an industrial control system protection method based on identity security is provided. The method comprises the following steps:
dividing an industrial control system according to a safety protection request to obtain a plurality of monitoring areas, wherein the monitoring areas at least comprise a basic device;
calculating a total security score and a total risk score of the base equipment contained in the monitoring area;
matching the total security score with the total risk score to obtain an industrial control security protection product combination corresponding to the monitoring area;
and generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area.
By adopting the technical scheme, the industrial control system is subjected to safety protection according to the safety protection request, and specifically: firstly, dividing an industrial control system into a plurality of monitoring areas; then, calculating the total safety score and the total risk score of the basic equipment contained in the monitoring area aiming at each monitoring area, and selecting an adaptive industrial control safety protection product combination according to the total safety score and the total risk score; and finally, generating an identity authentication strategy corresponding to the monitoring area according to the selected industrial control safety protection product combination. Therefore, the industrial control system is divided, and then personalized industrial control safety protection product combinations are configured for each area to generate personalized identity authentication strategies, so that the identity safety protection technology is truly integrated in the industrial control system, and the safety protection of the industrial control system is improved.
In one possible implementation: in the same monitoring area, a plurality of base devices delivering the same message are taken as a group of devices, and the calculating of the total security score of the base devices contained in the monitoring area comprises the following steps:
selecting a group of devices with the largest number of basic devices to be determined as a reference group;
calculating the proportion of the number of the basic devices contained in the reference group to the total number of the basic devices contained in the monitoring area to obtain a first occupation ratio;
calculating the ratio of the group numbers with common points to all the group numbers in the monitoring area to obtain a second ratio, wherein the common points refer to the same basic equipment through which different messages pass;
and obtaining a total security score according to the first occupation ratio and the second occupation ratio.
By adopting the technical scheme, the first occupation ratio is the proportion of the number of the basic devices contained in the reference group to the total number of the basic devices contained in the monitoring area, and each group of devices refers to a plurality of basic devices for transmitting the same message, so that the first occupation ratio of the method is one of indexes for reflecting the association degree of the basic devices in the monitoring area. Meanwhile, the second duty ratio of the present application is the duty ratio of the group number with the common point to all the group numbers in the monitoring area, and the common point in the group number refers to the same basic equipment through which different messages pass, so the second duty ratio of the present application is also one of indexes reflecting the association degree of the basic equipment in the monitoring area. Finally, the total safety score is obtained according to the two indexes, so that the accuracy of the calculated total safety score is ensured, and technical support is provided for the subsequent selection of the adaptive industrial control safety protection product combination.
In one possible implementation: the total safe score is calculated by the following calculation formula:
s1=f (q1+q2), where S1 is the total safe score, q1 is the first duty ratio, q2 is the second duty ratio, and the function f (·) represents adding the first duty ratio and the second duty ratio, shifting the decimal point two bits to the right, and retaining the resulting integer portion.
In one possible implementation: the industrial control system includes a plurality of tiers, the computing a total security score for the base device comprising:
obtaining a risk score according to the number of basic devices in the monitoring area;
obtaining weights according to the number of levels spanned by the monitoring area;
multiplying the risk score by the weight to obtain the total risk score.
By adopting the technical scheme, as the number of the basic devices in the monitoring area is larger, the coverage range required to be subjected to safety protection is larger, and the difficulty is also larger, the risk score is obtained according to the number of the basic devices in the monitoring area. Secondly, the more the number of levels the monitoring area spans, the larger the coverage area that needs to be safeguarded, so the weight is obtained according to the number of levels the monitoring area spans. Finally, the two protection conditions are combined to obtain a total risk score, namely, the total risk score is obtained by multiplying the risk score by the weight, so that the accuracy of the calculated total risk score is ensured, and further technical support is provided for the subsequent selection of the adaptive industrial control safety protection product combination.
In one possible implementation: the industrial control safety product combination comprises a first combination product, a second combination product, a third combination product, a fourth combination product, a fifth combination product, a sixth combination product and a seventh combination product;
the first combined product comprises an industrial firewall and an industrial control fort machine;
the second combination product comprises an industrial firewall and an industrial control audit;
the third combination product comprises an industrial firewall and an industrial control access system;
the fourth combined product comprises an industrial firewall, an industrial control fort machine and an industrial control audit;
the fifth combined product comprises an industrial firewall, an industrial control fort machine and an industrial control access system;
the sixth combination product comprises an industrial firewall, an industrial control audit and an industrial control access system;
the seventh combined product comprises an industrial firewall, an industrial control fort machine, an industrial control audit and an industrial control access system.
Through adopting above-mentioned technical scheme, this application is provided with multiple industrial control safety product combination for after calculating total safety score and total risk score that obtains the monitoring area, can match a corresponding industrial control safety product combination for the monitoring area, thereby according to the individualized identity authentication strategy of industrial control safety product combination generation, make identity safety protection technique truly fuse in industrial control system, improve the safety protection to industrial control system.
In one possible implementation: the step of generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area comprises the following steps:
an identity authentication white list is configured in an industrial firewall of the industrial control safety protection product combination, and the identity authentication white list stores identity information of a manager and management rights corresponding to the manager;
and the industrial firewall is linked with the rest industrial safety protection products in the industrial safety protection product combination to carry out safety protection.
By adopting the technical scheme, the industrial firewall has the function of implementing isolation protection on the monitoring area, so each group of products comprises the industrial firewall, and an identity authentication white list is arranged in the industrial firewall, on one hand, because: when the safety protection requirement of the monitoring area is high, the variety of industrial safety protection products can be increased on the basis of an industrial firewall, industrial control safety protection product combinations are not required to be redeployed, the number of times of configuring an identity authentication white list is reduced, and the safety protection efficiency is improved. On the other hand, in some monitoring areas with low protection requirements, the purpose of protection can be achieved by only deploying one industrial firewall, and the hardware resources of safety protection are saved.
In one possible implementation: the safety protection request comprises identity information and request content, and the dividing of the industrial control system according to the safety protection request to obtain a plurality of monitoring areas comprises the following steps:
after the identity information passes the authentication, dividing the industrial control system into a plurality of monitoring areas according to the request content.
In one possible implementation: the request content includes a request for security protection of one type of base device and/or a request for security protection of all base devices on one service line and/or a request for security protection of one core data.
Through adopting above-mentioned technical scheme, after identity information authentication passes, divide into a plurality of monitoring areas with industrial control system according to different request contents again for the safety protection to industrial control system is laminated in actual environment needs more, satisfies industrial control system's safety protection demand.
In a second aspect of the present application, an industrial control system protection system based on identity security is provided. The system comprises:
the data processing module is used for partitioning the industrial control system according to the safety protection request to obtain a plurality of monitoring areas, wherein the monitoring areas at least comprise one basic device;
the data calculation module is used for calculating the total security score and the total risk score of the basic equipment contained in the monitoring area: the data matching module is used for matching the total security score and the total risk score to obtain an industrial control security protection product combination corresponding to the monitoring area;
and the data generation module is used for generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area.
In a fourth aspect of the present application, a computer readable storage medium is provided, having stored thereon a computer program which when executed by a processor implements any of the above-described identity based industrial control system protection methods.
In summary, the present application includes one of the following beneficial technical effects:
first, the present application divides an industrial control system into a plurality of monitoring areas according to different request contents. Then, for each monitoring area, calculating a total security score and a total risk score of the basic equipment contained in the monitoring area, wherein the total security score reflects the association degree of the basic equipment in the monitoring area, because the corresponding security risk is higher when the association degree of the basic equipment is higher, the situation that the whole body is pulled easily occurs, and the total risk score reflects the coverage range and the security difficulty of security protection, which are also important for whether the security protection meets the real environment requirement. Therefore, the total safety score and the total risk score are taken as conditions for selecting the combination of the industrial control safety protection products; and generating an identity authentication strategy corresponding to the monitoring area according to the selected industrial control safety protection product combination, so that the identity safety protection technology is truly integrated in the industrial control system, and the safety protection of the industrial control system is improved.
Drawings
FIG. 1 is a schematic diagram of an exemplary operating environment of an embodiment of the present application.
FIG. 2 is a flow chart of an industrial control system protection method based on identity security according to an embodiment of the present application.
Fig. 3 is an exemplary diagram of combining two monitoring areas into one monitoring area in an embodiment of the method of the present application.
Fig. 4 is a block diagram of an industrial control system protection system based on identity security in accordance with an embodiment of the present application.
Reference numerals illustrate: 1. a data processing module; 2. a data calculation module; 3. a data matching module; 4. and a data generation module.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present application can be implemented, the operating environment being an industrial control system that is comprised of a field device layer, a field control layer, a process monitoring layer, a production management layer, and an enterprise management layer. The field device layer mainly comprises production equipment of an entity and monitoring equipment for monitoring the production equipment, such as electronic equipment of a turbine, a sensor, a robot arm and the like. The upper computer of the field device layer is arranged in the field control layer, and the upper computer in the field control layer is provided with a controller, an engineering station, an operation station and other intelligent devices for monitoring and controlling the electronic devices in the field device layer, wherein the controller is used for realizing intelligent control of the instruments of the electronic devices, such as a programmable logic controller (programmable logic controller, PLC), a PAC controller, an industrial personal computer (industrial personal computer, IPC), an edge programmable industrial controller and the like. The process monitoring layer is provided with a database which is used for storing data uploaded by the field device layer and the field control layer. The enterprise management layer is provided with various application systems, such as an OA system, an ERP system, a MAIL system and a WEB system, and is also connected with a personal computer (personal computer, PC) and performs information interaction with the cloud through VPN, and management personnel can configure the various application systems in the enterprise management layer through the personal computer.
In order to reduce the safety risk of an industrial control system and ensure the safety of core data in the industrial control system, the application provides an industrial control system protection method based on identity security. Fig. 2 shows a flowchart of a protection method according to an embodiment of the present application, and the main flow of the method is described below.
Step S10, a safety protection request is received.
Before the industrial control system is put into use or after equipment deployment in the industrial control system changes, a manager can send a safety protection request to the industrial control system through a PC (personal computer) for requesting to carry out safety protection on the industrial control system. The safety protection request comprises identity information and request content, wherein the identity information is used for the industrial control system to authenticate the identity of the manager, and the industrial control system only executes the request content when the identity authentication is passed, and the request content is a specific safety protection task. Otherwise, the industrial control system does not process the requested content.
And step S20, dividing the industrial control system into a plurality of monitoring areas according to the safety protection request.
Specifically, after the identity authentication in the security protection request passes, the system architecture of the industrial control system is firstly called, and the system architecture comprises the field device layer, the field control layer, the process monitoring layer, the production management layer and the enterprise management layer, and the device type and the number of devices in each layer are determined, so that the devices involved in each layer are called as basic devices hereinafter. The industrial control system is then divided into a plurality of monitoring areas according to the request content in the safety protection request. Because the request content includes specific security tasks, for example, the request for security protection of the type a base device, or the request for security protection of all base devices on the service line i, or the request for security protection of the core data a, etc., the application divides the industrial control system into a plurality of monitoring areas according to the request content and the type of the base device.
To facilitate the description of the partitioning process, the following takes the request content as an example to request to secure all the base devices on the service line: firstly, a service line to be subjected to safety protection is obtained from request content, and then the layer spanned by the service line is determined, and because the physical distance between basic devices positioned between different layers can be far, the basic devices which are smaller than a certain distance and positioned on the same service line are combined into a monitoring area, and of course, the basic devices positioned on the same service line can be combined into a monitoring area on each layer until all the basic devices on the service line are divided into the monitoring areas.
It should be noted that the system architecture of the industrial control system is generally complex and has a wide coverage area, and the request content may also involve multiple security tasks, for example, the request content includes the request for security protection of the type a base device and the request for security protection of all base devices on the service line i. Thus, there are typically multiple monitoring areas available when dividing an industrial control system. In addition, for the situation that the request content relates to multiple safety protection tasks, when dividing each safety protection task, if the overlapping degree of one of the monitoring areas obtained by dividing one of the safety protection tasks and one of the monitoring areas obtained by dividing the other safety protection task is higher than a preset value, the two monitoring areas are combined into one monitoring area, so that resource waste caused by repeated safety protection for the same basic equipment is avoided, as shown in fig. 3, if the square frame is one monitoring area obtained by dividing one of the safety protection tasks, the round frame is one monitoring area obtained by dividing the other safety protection task, and if the overlapping degree of the square frame and the round frame is higher than the preset value, the square frame and the round frame are combined into one monitoring area, so as to obtain a final monitoring area m.
And step S30, determining industrial control safety protection product combinations corresponding to the monitoring areas according to the basic equipment contained in each monitoring area.
The industrial safety protection products comprise industrial firewalls, industrial control fort machines, industrial control audit and industrial control admission systems. The industrial firewall can realize the safety control of the monitoring area, implement isolation protection on the monitoring area, and can simultaneously carry out deep analysis on the control protocol, such as analysis on abnormal data traffic of an application layer of Modbus, DNP3 and the like, and carry out dynamic tracking on an OPC port so as to protect key registers and operations. The industrial control fort machine integrates protocols such as OPC, modbus/TCP, modbus/RTU, ethernet/IP, IEC104, EIP and the like of an industrial control system into the fort machine, realizes operation and maintenance management interfaces such as unified identity authentication, authorized inquiry and the like, and can carry out operation and maintenance management on all upper computers, servers, application systems, industrial network devices and industrial safety devices of a field device layer. The industrial control audit comprises safety terminal equipment for monitoring and recording various information such as safety events, user login behaviors, user operation behaviors, access to databases, use conditions and the like by industrial guard, industrial audit, log audit and the like, and the safety terminal equipment is subjected to filtering, merging, alarm analysis and the like and then is combined with analysis, statistics, ranking and other functions to realize comprehensive audit on the safety condition of an industrial control system. The industrial control access system is configured with a policy routing (policy based routing, PBR), a port mirror technology (switched port analyzer, SPAN) of a switch, a dynamic host configuration protocol (dynamic host configuration protocol, DHCP), an address resolution protocol (address resolution protocol, ARP), a Multi-manufacturer virtual gateway technology (Multi-vendor virtual getaway, MVG), an access control and authentication protocol based on a Client/Server and other terminal access control technologies, and the terminal access control technologies are used for controlling a PC end or a cloud end which is accessed into the industrial control system, so that harm to the industrial control system caused by virus, worm and other hacking technologies is prevented.
In the application, at least two industrial safety protection products in the industrial firewall, the industrial control fort machine, the industrial control audit and the industrial control access system are combined to obtain an industrial control safety protection product combination, and the product combination is applied to a monitoring area to ensure the safety protection capability of the monitoring area.
It should be noted that, each monitoring area needs to select an industrial control safety protection product combination corresponding to the monitoring area, in order to facilitate the description of a specific setting process, the following is an example of selecting a corresponding industrial control safety protection product combination for one of the monitoring areas:
and S31, calculating the total security score and the total risk score of the basic equipment of the monitoring area.
The total security score of the basic equipment in the monitoring area is calculated as follows: first, searching basic devices which transmit messages to each other in the monitoring area, taking a plurality of basic devices which transmit the same message as a group of devices, then selecting a group of devices with the largest number of basic devices as a reference group, calculating the occupation ratio of the basic devices contained in the reference group to all the basic devices in the monitoring area, and marking the occupation ratio as a first occupation ratio. Meanwhile, the occupation ratio of the group number with the common point to all groups is calculated, and the occupation ratio is marked as a second occupation ratio. And finally, adding the first duty ratio and the second duty ratio, and taking the integer part obtained by right shifting the decimal point by two digits as the total security score. For example, there are 12 base devices in the monitoring area Q, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, respectively, provided that:
a1, a3, a4 together deliver a message w1;
a2, a3, a5, a7 together deliver a message w2;
a5, a6, a7, a8, a9, a10, a11, a12 together deliver a message w3, w1+notew2+notew3.
Then there are three total groups of devices in the monitoring area Q, the first group being a1, a3, a4, the second group being a2, a3, a5, a7, the third group being a5, a6, a7, a8, a9, a10, a11, a12;
since the number of base devices in the third group is the largest, specifically 8, the third group is marked as a reference group, and dividing the number of base devices contained in the reference group by the number of all base devices in the monitoring area Q gives a first duty ratio of 67% (8/12).
Meanwhile, since the common point a3 exists in the first group and the second group, and the common points a5 and a7 exist between the second group and the third group, the number of the device groups with the common point is three, and the ratio of the number of the device groups with the common point to the number of all the groups is calculated to be 100% (3/3), namely, the second ratio is 100%.
Thus, the total safe score = f (67% + 100%) = 167, the f function is to add the first and second duty ratios, shift the decimal point two bits to the right, and retain the resulting integer portion.
The total risk score of the basic equipment in the monitoring area is calculated as follows: first, a risk score is obtained according to the number of base devices in the monitored area, i.e. the number of base devices in the monitored area is the risk score. Then, the weight is obtained according to the number of levels spanned by the monitoring area, and in this example, since the system architecture of the industrial control system has five layers, the weight corresponding to one level is set to be 20%. Thus, the corresponding weights are derived from the number of levels spanned by the monitored area: p=20% n, n being the number of layers spanned by the monitored region. In other examples, the hierarchy may be set to correspond to different weights according to the actual situation, for example, the field control layer may be set to 25% weight and the field device layer may be set to 15% weight if the confidentiality of the field control layer is higher than that of the field device layer. And finally, multiplying the risk score and the weight to obtain a total risk score.
And S32, determining the industrial control safety protection product combination corresponding to the monitoring area according to the total safety score and the total risk score.
And matching the industrial control safety protection product combination corresponding to the monitoring area based on the obtained total safety score and the total risk score. Specifically, a score table is set in advance, and the score table stores the corresponding relation among total safety score, total risk score and safety protection product combination, and the specific score table is shown in the following table 1:
in table 1, each combination product contains an industrial safety protection product of:
the first combined product comprises an industrial firewall and an industrial control fort;
the second combination product comprises an industrial firewall and an industrial control audit;
the third combination product comprises an industrial firewall and an industrial control access system;
the fourth combined product comprises an industrial firewall, an industrial control fort machine and an industrial control audit;
the fifth combined product comprises an industrial firewall, an industrial control fort machine and an industrial control admittance system;
the sixth combination product comprises an industrial firewall, an industrial control audit and an industrial control access system;
the seventh combination product comprises an industrial firewall, an industrial control fort machine, an industrial control audit and an industrial control access system.
As known from the seven groups of industrial control safety protection product combinations, each group of products comprises an industrial firewall, because the industrial firewall has the function of implementing isolation protection on a monitoring area, as the total safety score and the total risk score of the monitoring area are higher, the more types of industrial safety protection products are added on the basis of the industrial firewall, the stronger the safety protection capability is, and in some industrial control systems with low protection requirements, only one industrial firewall can achieve the protection purpose.
It should be noted that, in other examples, if the types of the industrial safety protection products are more than the five types, the correspondence between the total safety score, the total risk score, and the industrial safety protection product combination may be reset according to the actual needs, which is not limited herein.
It should be further noted that, when only one basic device is in the monitoring area, the industrial control safety protection product combination corresponding to the monitoring area is directly the seventh combination product.
Therefore, after the total safety score and the total risk score are obtained, the industrial control safety product combination corresponding to the monitoring area can be matched in the score table. In this example, each monitoring area needs to select an adapted industrial personal safety protection product combination through the steps S31-S32, and the selection process is the same as that of the above example, so the application will not be repeated here.
And S40, generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area.
Specifically, the identity authentication policy is to set an identity authentication whitelist in an industrial firewall, wherein the identity authentication whitelist stores identity information of a manager and management rights corresponding to the manager, and only the manager with the management rights has rights to inquire and operate and maintain the data in the monitoring area.
Because each group of products comprises an industrial firewall, after the industrial control safety protection products corresponding to the monitoring area are combined, the industrial firewall is used as a safety protection core, and other industrial safety protection products are linked to monitor and access the PC or the cloud of the monitoring area, so that the safety protection of an industrial control system is improved.
In summary, the implementation principle of the industrial control system protection method based on identity security in the embodiment of the application is as follows: firstly, dividing an industrial control system into a plurality of monitoring areas; then, calculating the total safety score and the total risk score of the basic equipment contained in the monitoring area aiming at each monitoring area, and selecting an adaptive industrial control safety protection product combination according to the total safety score and the total risk score; and finally, generating an identity authentication strategy corresponding to the monitoring area according to the selected industrial control safety protection product combination, so that the identity safety protection technology is truly integrated in the industrial control system, and the safety protection of the industrial control system is improved.
Fig. 4 shows a block diagram of an industrial control system protection system based on identity security according to an embodiment of the present application, the system comprising a data processing module 1, a data calculation module 2, a data matching module 3 and a data generation module 4.
The data processing module 1 is used for partitioning the industrial control system according to the safety protection request to obtain a plurality of monitoring areas, wherein the monitoring areas at least comprise one basic device;
a data calculation module 2, configured to calculate a total security score and a total risk score of the base device included in the monitoring area:
and the data matching module 3 is used for matching the total security score and the total risk score to obtain an industrial control security protection product combination corresponding to the monitoring area.
And the data generation module 4 is used for generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area.
The data processing module 1 is further configured to receive a security protection request.
The modules involved in the embodiments described in the present application may be implemented by means of software, or may be implemented by means of hardware. The described modules may also be provided in a processor, for example, as: a processor comprises a data processing module 1, a data computing module 2, a data matching module 3 and a data generating module 4. The names of these modules do not in any way limit the module itself, for example, the data processing module 1 can also be described as "a module for partitioning an industrial control system into a plurality of monitoring areas in accordance with a safety protection request".
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In order to better execute the program of the method, the application also provides an industrial control system protection device based on identity security, which comprises a memory and a processor.
Wherein the memory may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function, instructions for implementing the above-described identity-based industrial control system protection method, and the like; the storage data area can store data and the like involved in the protection method of the industrial control system based on identity security.
The processor may include one or more processing cores. The processor performs the various functions of the present application and processes the data by executing or executing instructions, programs, code sets, or instruction sets stored in memory, calling data stored in memory. The processor may be at least one of an application specific integrated circuit, a digital signal processor, a digital signal processing device, a programmable logic device, a field programmable gate array, a central processing unit, a controller, a microcontroller, and a microprocessor. It will be appreciated that the electronic device for implementing the above-mentioned processor function may be other for different apparatuses, and embodiments of the present application are not specifically limited.
The present application also provides a computer-readable storage medium, for example, comprising: a U-disk, a removable hard disk, a Read Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes. The computer readable storage medium stores a computer program that can be loaded by a processor and that performs the above-described industrial control system protection method based on identity security.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or equivalents thereof is possible without departing from the spirit of the disclosure. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.
Claims (10)
1. An industrial control system protection method based on identity security, which is characterized by comprising the following steps:
dividing an industrial control system according to a safety protection request to obtain a plurality of monitoring areas, wherein the monitoring areas at least comprise a basic device;
calculating a total security score and a total risk score of the base equipment contained in the monitoring area;
matching the total security score with the total risk score to obtain an industrial control security protection product combination corresponding to the monitoring area;
and generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area.
2. The identity-based industrial control system protection method of claim 1, wherein in the same monitoring area, a plurality of base devices delivering the same message are used as a group of devices, and the calculating the total security score of the base devices included in the monitoring area comprises:
selecting a group of devices with the largest number of basic devices to be determined as a reference group;
calculating the proportion of the number of the basic devices contained in the reference group to the total number of the basic devices contained in the monitoring area to obtain a first occupation ratio;
calculating the ratio of the group numbers with common points to all the group numbers in the monitoring area to obtain a second ratio, wherein the common points refer to the same basic equipment through which different messages pass;
and obtaining a total security score according to the first occupation ratio and the second occupation ratio.
3. The identity security-based industrial control system protection method according to claim 2, wherein the total security score is calculated by the following calculation formula:
s1=f (q1+q2), where S1 is the total safe score, q1 is the first duty ratio, q2 is the second duty ratio, and the function f (·) represents adding the first duty ratio and the second duty ratio, shifting the decimal point two bits to the right, and retaining the resulting integer portion.
4. The identity-based industrial control system protection method of claim 1, wherein the industrial control system comprises a plurality of tiers, the calculating the total security score for the base device comprising:
obtaining a risk score according to the number of basic devices in the monitoring area;
obtaining weights according to the number of levels spanned by the monitoring area;
multiplying the risk score by the weight to obtain the total risk score.
5. The identity based industrial control system protection method of claim 1 wherein the industrial control safety product combination comprises a first combination, a second combination, a third combination, a fourth combination, a fifth combination, a sixth combination, and a seventh combination;
the first combined product comprises an industrial firewall and an industrial control fort machine;
the second combination product comprises an industrial firewall and an industrial control audit;
the third combination product comprises an industrial firewall and an industrial control access system;
the fourth combined product comprises an industrial firewall, an industrial control fort machine and an industrial control audit;
the fifth combined product comprises an industrial firewall, an industrial control fort machine and an industrial control access system;
the sixth combination product comprises an industrial firewall, an industrial control audit and an industrial control access system;
the seventh combined product comprises an industrial firewall, an industrial control fort machine, an industrial control audit and an industrial control access system.
6. The method of claim 5, wherein generating an identity authentication policy from an industrial control security product combination corresponding to the monitored area comprises:
an identity authentication white list is configured in an industrial firewall of the industrial control safety protection product combination, and the identity authentication white list stores identity information of a manager and management rights corresponding to the manager;
and the industrial firewall is linked with the rest industrial safety protection products in the industrial safety protection product combination to carry out safety protection.
7. The method for protecting an industrial control system based on identity security according to claim 1, wherein the security request includes identity information and request content, and the partitioning the industrial control system according to the security request to obtain a plurality of monitoring areas includes:
after the identity information passes the authentication, dividing the industrial control system into a plurality of monitoring areas according to the request content.
8. The identity-based industrial control system safeguarding method of claim 7 wherein the request content includes a request to safeguard one type of base equipment and/or a request to safeguard all base equipment on one service line and/or a request to safeguard one core data.
9. An industrial control system protection system based on identity security, comprising:
the data processing module (1) is used for partitioning the industrial control system according to the safety protection request to obtain a plurality of monitoring areas, wherein the monitoring areas at least comprise one basic device;
a data calculation module (2) for calculating a total security score and a total risk score of the base device contained in the monitoring area:
the data matching module (3) is used for matching the total security score and the total risk score to obtain an industrial control security protection product combination corresponding to the monitoring area;
and the data generation module (4) is used for generating an identity authentication strategy according to the industrial control safety protection product combination corresponding to the monitoring area.
10. A computer readable storage medium, characterized in that a computer program is stored thereon, which program, when being executed by a processor, implements the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410033183.0A CN117852027A (en) | 2024-01-09 | 2024-01-09 | Industrial control system protection method, system and storage medium based on identity security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410033183.0A CN117852027A (en) | 2024-01-09 | 2024-01-09 | Industrial control system protection method, system and storage medium based on identity security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117852027A true CN117852027A (en) | 2024-04-09 |
Family
ID=90539625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410033183.0A Pending CN117852027A (en) | 2024-01-09 | 2024-01-09 | Industrial control system protection method, system and storage medium based on identity security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117852027A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN104539600A (en) * | 2014-12-22 | 2015-04-22 | 北京卓越信通电子股份有限公司 | Industrial control firewall implementing method for supporting filtering IEC 104 protocol |
| CN106899553A (en) * | 2015-12-19 | 2017-06-27 | 北京中船信息科技有限公司 | A kind of industrial control system safety protecting method based on private clound |
| US20180026944A1 (en) * | 2016-07-21 | 2018-01-25 | AT&T Global Network Services (U.K.) B.V. | Assessing risk associated with firewall rules |
| CN115914551A (en) * | 2021-08-20 | 2023-04-04 | 浙江宇视科技有限公司 | Monitoring safety protection method and device and distribution box |
-
2024
- 2024-01-09 CN CN202410033183.0A patent/CN117852027A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN104539600A (en) * | 2014-12-22 | 2015-04-22 | 北京卓越信通电子股份有限公司 | Industrial control firewall implementing method for supporting filtering IEC 104 protocol |
| CN106899553A (en) * | 2015-12-19 | 2017-06-27 | 北京中船信息科技有限公司 | A kind of industrial control system safety protecting method based on private clound |
| US20180026944A1 (en) * | 2016-07-21 | 2018-01-25 | AT&T Global Network Services (U.K.) B.V. | Assessing risk associated with firewall rules |
| CN115914551A (en) * | 2021-08-20 | 2023-04-04 | 浙江宇视科技有限公司 | Monitoring safety protection method and device and distribution box |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7900240B2 (en) | Multilayer access control security system | |
| US9275348B2 (en) | Identifying participants for collaboration in a threat exchange community | |
| US6611869B1 (en) | System and method for providing trustworthy network security concern communication in an active security management environment | |
| CN110232292A (en) | Data access authority authentication method, server and storage medium | |
| CN110784361A (en) | Virtualized cloud honey network deployment method, device, system and computer-readable storage medium | |
| Gill et al. | Security and privacy aspects of cloud computing: a smart campus case study | |
| EP2387746B1 (en) | Methods and systems for securing and protecting repositories and directories | |
| US20110047610A1 (en) | Modular Framework for Virtualization of Identity and Authentication Processing for Multi-Factor Authentication | |
| US20080115205A1 (en) | Methods, network services, and computer program products for recommending security policies to firewalls | |
| CN108616544B (en) | Method, system, and medium for detecting updates to a domain name system recording system | |
| WO2010076550A1 (en) | Access control | |
| CN114978697A (en) | Network information system endogenous security defense method, device, equipment and medium | |
| CN114268505B (en) | Method and device for adjusting fraud policy of honeynet, electronic equipment and storage medium | |
| US20060092948A1 (en) | Securing lightweight directory access protocol traffic | |
| CN117319064A (en) | Network space safety management and control system based on trusted computing | |
| EP1981242B1 (en) | Method and system for securing a commercial grid network | |
| CN117852027A (en) | Industrial control system protection method, system and storage medium based on identity security | |
| CN116048718A (en) | Method and device for improving security of cloud-hosted Web application program based on container | |
| Mir et al. | Zero trust user access and identity security in smart grid based scada systems | |
| Kumar et al. | Intrusion detection system for grid computing using SNORT | |
| CN115022008A (en) | Access risk assessment method, device, equipment and medium | |
| CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
| CN112217770B (en) | Security detection method, security detection device, computer equipment and storage medium | |
| Gupta et al. | Profile and back off based distributed NIDS in cloud | |
| Akyol et al. | Transaction-based building controls framework, Volume 2: Platform descriptive model and requirements |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |