WO2024060245A1 - Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage - Google Patents

Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage Download PDF

Info

Publication number
WO2024060245A1
WO2024060245A1 PCT/CN2022/121079 CN2022121079W WO2024060245A1 WO 2024060245 A1 WO2024060245 A1 WO 2024060245A1 CN 2022121079 W CN2022121079 W CN 2022121079W WO 2024060245 A1 WO2024060245 A1 WO 2024060245A1
Authority
WO
WIPO (PCT)
Prior art keywords
risk
security
level
information
operational
Prior art date
Application number
PCT/CN2022/121079
Other languages
English (en)
Chinese (zh)
Inventor
郭代飞
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to PCT/CN2022/121079 priority Critical patent/WO2024060245A1/fr
Publication of WO2024060245A1 publication Critical patent/WO2024060245A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • This application relates to the field of industrial automation technology, and in particular to a device trust level analysis method, device, electronic device and storage medium.
  • Operation Technology is a professional technology that provides technology for factory automation control systems to ensure normal production.
  • OT equipment is used by operators to provide technical support for automated control systems.
  • OT equipment includes host computers, engineer stations, operator stations, servers and programmable logic controllers (Programmable Logic Controller, PLC), etc.
  • PLC programmable logic Controller
  • the device trust level analysis method, apparatus, electronic device and storage medium provided in this application can improve the security of industrial networks.
  • a device trust level analysis method which includes: collecting traffic data of operational technology equipment in an industrial network; obtaining security-related data of the operational technology equipment; and analyzing data based on the traffic data. Conduct security analysis on the operational technology equipment to obtain first risk information; conduct security analysis on the operational technology equipment based on the security-related data to obtain second risk information; perform security analysis on the operational technology equipment based on the first risk information and the second risk information to determine the trust level of said operational technology equipment.
  • a device trust level analysis device including: a collection unit, used to collect traffic data of operational technology equipment in an industrial network; and an acquisition unit, used to obtain traffic data of the operational technology equipment.
  • Security-related data a first analysis unit, configured to perform security analysis on the operational technology equipment based on the traffic data, to obtain first risk information
  • a second analysis unit configured to analyze the operational technology equipment based on the security-related data.
  • the equipment performs security analysis to obtain second risk information
  • an integration unit is configured to determine the trust level of the operational technology equipment based on the first risk information and the second risk information.
  • an electronic device including: a processor, a memory, a communication interface, and a bus.
  • the processor, the memory, and the communication interface complete mutual communication through the bus.
  • Communication; the memory is used to store at least one executable instruction, and the executable instruction causes the processor to perform operations corresponding to the device trust level analysis method described in the first aspect.
  • a computer-readable storage medium is provided.
  • Computer instructions are stored on the computer-readable storage medium. When executed by a processor, the computer instructions cause the processor to The device trust level analysis method as described in the first aspect is executed.
  • a computer program product is provided, which is tangibly stored on a computer-readable medium and includes computer-executable instructions, which when executed At least one processor is caused to execute the device trust level analysis method described in the first aspect.
  • the flow data of the operational technical equipment is collected and the safety-related data of the operational technical equipment is obtained.
  • the first risk information is obtained by analyzing the flow data
  • the second risk information is obtained by analyzing the safety-related data.
  • Both the first risk information and the second risk information can indicate the impact of the operational technology equipment on the security of the industrial network, and then the trust level of the operational technology equipment can be determined based on the first risk information and the second risk information.
  • the trust level of the operational technology equipment does not meet the requirements, it means that the operational technology equipment will have a greater impact on the security of the industrial network, and the operational technology equipment will be removed from the industrial network. It can comprehensively and timely discover operational technology equipment with security problems in the industrial network and remove them from the industrial network, thereby improving the security of the industrial network.
  • Figure 1 is a flow chart of a device trust level analysis method according to an embodiment of the present application
  • Figure 2 is a schematic diagram of a device trust level analysis system according to another embodiment of the present application.
  • Figure 3 is a flow chart of a security analysis method according to an embodiment of the present application.
  • Figure 4 is a flow chart of a security analysis method according to another embodiment of the present application.
  • Figure 5 is a flow chart of a trust level determination method according to an embodiment of the present application.
  • Figure 6 is a schematic diagram of a device trust level analysis device according to an embodiment of the present application.
  • Figure 7 is a schematic diagram of an electronic device according to an embodiment of the present application.
  • 503 Determine the higher risk level among the first risk information and the second risk information as the comprehensive risk information
  • Trust level analysis module 205 Device trust database 206: Agent program
  • 601 Acquisition unit 602: Acquisition unit 603: First analysis unit
  • OT equipment will be connected to and control high-value equipment.
  • PLC is connected to and controls measuring equipment. If there is a problem with the PLC, it may cause the measuring equipment to fail. causing high economic losses.
  • detailed security testing is performed on the OT equipment to ensure that the OT equipment has high security. Then after the OT equipment is connected to the industrial network, the industrial network will be ensured to have high security. safety.
  • the traffic data of the OT equipment is collected, and the security-related data of the OT equipment is obtained.
  • the impact of the OT equipment on the industrial network is determined.
  • the security impact and then determine the trust level of OT equipment.
  • the trust level of OT devices does not meet the requirements, the OT devices will be removed from the industrial network to enable comprehensive and timely discovery.
  • OT equipment with security issues can improve the security of industrial networks.
  • the operational technology equipment is the above-mentioned OT equipment.
  • FIG. 1 is a flow chart of a device trust level analysis method according to an embodiment of the present application. As shown in Figure 1, the device trust level analysis method 100 includes the following steps:
  • Step 101 Collect traffic data of operational technical equipment in the industrial network.
  • the industrial network includes one or more operational technology equipment.
  • the operational technology equipment can be a host computer, engineer station, operator station, server, PLC, etc. Operational technology equipment connects to measuring equipment, motors, sensors and other devices in the industrial network. Based on the zero-trust environment, the operational technology equipment in the industrial network is securely managed. When the trust level of the operational technology equipment does not meet the security requirements of the industrial network, the operational technology equipment will be removed from the industrial network to ensure the security of the industrial network.
  • Zero trust is a network security protection concept that does not trust any person, device, or system inside or outside the network by default. It rebuilds the trust foundation of access control based on identity authentication and authorization, thereby ensuring that identities, devices, applications, and chains are trusted. The road is trustworthy. Based on the zero trust principle, the terminal security, link security and access control security of industrial networks can be guaranteed.
  • Traffic data is the communication data used by operational technology equipment to communicate with other equipment in the industrial network.
  • the device information and network behavior information of the operational technology equipment can be determined.
  • Step 102 Obtain safety-related data of operational technical equipment.
  • security-related data of the operational technology device can be obtained.
  • Security-related data includes configuration information, log information, account information, process and service information, etc.
  • the safety of operational technical equipment can be analyzed based on safety-related data.
  • Step 103 Conduct security analysis on the operational technical equipment based on the traffic data to obtain the first risk information.
  • the security of the operational technology equipment can be analyzed based on the traffic data, and the security impact of the operational technology equipment on the industrial network can be evaluated.
  • the security impact of the operational technology equipment on the industrial network can be evaluated.
  • the first risk information may indicate the level of risk that operational technology equipment poses to industrial network security.
  • Step 104 Conduct safety analysis on the operational technical equipment based on safety-related data to obtain second risk information.
  • the security of the operational technology equipment can be analyzed based on the security-related data, and the security configuration, account permission configuration, process and service of the operational technology equipment can be analyzed to determine whether the operational technology equipment has security issues that may affect the security of the industrial network, and obtain the second risk information of the operational technology equipment.
  • the second risk information can also indicate the risk level of the impact of the operational technology equipment on the security of the industrial network.
  • Step 105 Determine the trust level of the operational technical equipment based on the first risk information and the second risk information.
  • the first risk information can be combined with the second risk information.
  • Risk information and secondary risk information determine the impact of operational technology equipment on industrial network security and obtain the trust level of operational technology equipment.
  • the traffic data of the operational technology equipment is collected, and the security-related data of the operational technology equipment is obtained.
  • the first risk information is obtained by analyzing the traffic data
  • the second risk information is obtained by analyzing the security-related data.
  • Both the first risk information and the second risk information can indicate the impact of the operational technology equipment on the security of the industrial network, and then the trust level of the operational technology equipment can be determined based on the first risk information and the second risk information.
  • the trust level of the operational technology equipment does not meet the requirements, it means that the operational technology equipment will have a greater impact on the security of the industrial network, and the operational technology equipment will be removed from the industrial network. It can comprehensively and timely discover operational technology equipment with security problems in the industrial network and remove them from the industrial network, thereby improving the security of the industrial network.
  • FIG 2 is a schematic diagram of a device trust level analysis system according to an embodiment of the present application.
  • the operational technology equipment 201 in the industrial network is connected to the switch 202.
  • the measurement equipment, driving equipment, etc. in the industrial network are directly or indirectly connected to the switch 202.
  • the operational technology equipment 201 is connected to other operational technology equipment 201 or 201 through the switch. Measuring equipment, driving equipment, etc. are connected.
  • the data collector 203 is connected to the mirror port on each switch 202, and the data collector 203 can collect traffic data of the operational technology equipment 201 from the switch 202 through the mirror port.
  • the data collector 203 After the data collector 203 collects the traffic data of the operation technology equipment 201, it can send the traffic data to the trust level analysis module 204.
  • the trust level analysis module 204 performs analysis on the operation technology based on the traffic data according to the equipment trust level analysis method provided by the embodiment of this application.
  • the technical equipment 201 performs security analysis, and after obtaining the trust level of the operational technical equipment 201, the trust level is stored in the equipment trust database 205. According to the trust level stored in the device trust database 205, the operational technology equipment 201 in the industrial network can be securely managed. If the trust level of a certain operational technology equipment 201 does not meet the security requirements of the industrial network, the operational technology equipment 201 will be Device 201 is removed from the industrial network.
  • the data collector 203 can be any type of device that can collect traffic data through the mirror port of the switch, such as an intelligent gateway, an intelligent host, etc. that can realize the above functions.
  • the trust level analysis module 204 can be implemented by computer software, electronic hardware, or a combination of computer software and electronic hardware.
  • the electronic hardware can be a computer, Processor, microprocessor controller or programmable hardware.
  • the device trust database 205 can be a local database, a terminal database, etc.
  • the operational technology equipment communicates with other equipment in the industrial network through the switch, and the traffic data of the operational technology equipment is collected through the mirror port on the switch, so that all communication data between the operational technology equipment and other equipment can be obtained.
  • the operational technology equipment communicates with other equipment in the industrial network through the switch, and the traffic data of the operational technology equipment is collected through the mirror port on the switch, so that all communication data between the operational technology equipment and other equipment can be obtained.
  • an agent program 206 is provided in the operational technology equipment 201.
  • the agent program 206 can collect security-related data of the operational technology equipment 201, and the agent program 206 can collect the collected security-related data.
  • the data is pushed to the trust level analysis module 204, or the trust level analysis module 204 can pull security-related data from the agent 206.
  • the trust level analysis module 204 performs security analysis on the operational technology equipment 201 according to the security-related data according to the equipment trust level analysis method provided by the embodiment of the present application, and after obtaining the trust level of the operational technology equipment 201, stores the trust level in the device trust degree database 205.
  • the communication between the agent program 206 and the trust level analysis module 204 is implemented through the switch 202 and the data collector 203. That is, after the agent program 206 collects the security-related data, the security-related data is first transmitted from the agent program 206 to the switch. 202, and then transmitted from the switch 202 to the data collector 203, and then the data collector 203 transmits it to the trust level analysis module 204.
  • the trust level analysis module 204 and the agent program 206 can communicate through protocols such as SNMP, syslog, RDP or SSH to obtain security-related data collected by the agent program 206 through push or pull methods.
  • protocols such as SNMP, syslog, RDP or SSH to obtain security-related data collected by the agent program 206 through push or pull methods.
  • an agent program is set up in the operational technology equipment, and the security-related data of the operational technology equipment can be collected through the agent program, and then the security-related data collected by the agent program can be obtained, and the operation technology equipment can be processed based on the security-related data.
  • Security analysis The security-related data of operational technology equipment can be easily collected through the agent program, and it will not affect the normal operation of operational technology equipment.
  • FIG 3 is a flow chart of a security analysis method according to an embodiment of the present application. This embodiment illustrates the security analysis of operational technology equipment based on traffic data. As shown in Figure 3, the security analysis method 300 includes the following steps:
  • Step 301 Analyze the traffic data to obtain equipment information of the operational technical equipment.
  • the equipment information of the operational technical equipment can be identified from the traffic data.
  • Device information includes the name of the operational technology device, firmware version, application information, vendor and device type, etc.
  • Step 302 Query the vulnerability database according to the device information to determine the vulnerability information of the operational technology equipment.
  • the vulnerability database records the correspondence between device information and vulnerabilities, such as the correspondence between device firmware version, application information and other information and vulnerabilities. After obtaining the device information of the operational technology equipment, the vulnerability database is queried based on the device information, and the vulnerability information of the operational technology equipment is obtained. This vulnerability information can indicate vulnerabilities in the operational technology equipment.
  • Step 303 Determine the first risk level of the operational technical equipment based on the vulnerability information.
  • Vulnerability information can indicate vulnerabilities in operational technology equipment. Vulnerabilities can be divided into different levels according to the severity of the vulnerability. Then, the first risk level of operational technology equipment can be determined based on the level of vulnerabilities in operational technology equipment. For example, vulnerabilities are divided into three levels: high risk, medium risk, and low risk according to severity. If there is at least one high-risk vulnerability in the operational technology equipment, the first risk level of the operational technology equipment is determined to be the high risk level. If there are medium-risk vulnerabilities in operational technology equipment, or there are medium-risk vulnerabilities and low-risk vulnerabilities, the first risk level of the operational technology equipment is determined to be the medium risk level. If the operational technology equipment only has low-risk vulnerabilities, the first risk level of the operational technology equipment is determined to be the low risk level.
  • Step 304 Extract behavioral information of operational technical equipment from the traffic data.
  • the network behavior of the operational technology equipment can be identified from the traffic data, and then behavioral information used to indicate the network behavior of the operational technology equipment can be obtained.
  • Step 305 Determine the second risk level of the operational technical equipment based on the behavioral information.
  • Behavior information can indicate the network behavior of operational technology equipment, so the abnormal network behavior database can be queried based on the behavior information to identify abnormal network behavior in operational technology equipment, and then determine the third level of operational technology equipment based on the severity of the abnormal network behavior.
  • Risk level Abnormal network behaviors include high-traffic access, network brute force password cracking, abnormal control and other behaviors.
  • abnormal network behavior can be divided into three levels: high risk, medium risk, and low risk. If the operational technology equipment exhibits abnormal network behavior with a high risk level, the second risk level of the operational technology equipment is determined to be the high risk level. If the operational technology equipment experiences abnormal network behavior at a medium risk level, or there is an abnormal network behavior at a medium risk level and an abnormal network behavior at a low risk level, the second risk level of the operational technology equipment is determined to be the medium risk level. If the operational technology equipment only exhibits abnormal network behavior of a low risk level, the second risk level of the operational technology equipment is determined to be a low risk level.
  • Step 306 Determine the first risk information of the operational technical equipment based on the first risk level and the second risk level.
  • the first risk level is the risk level determined based on vulnerabilities
  • the second risk level is the risk level determined based on network behavior.
  • the first risk level and the second risk level are combined to determine the first risk information for operational technical equipment.
  • the vulnerabilities and abnormal network behaviors of the operational technology equipment by analyzing the traffic data, it is possible to determine the vulnerabilities and abnormal network behaviors of the operational technology equipment, and then determine the first risk level based on the severity of the vulnerabilities, and determine the second risk level based on the severity of the abnormal network behaviors.
  • Risk level, the first risk level and the second risk level are combined to determine the first risk information of operational technical equipment, so that the first risk information can reflect the risk level of operational technical equipment from the two dimensions of vulnerabilities and abnormal network behavior, ensuring the first risk
  • the information provides an accurate indication of the severity of security issues at operational technical equipment.
  • a higher risk level among the first risk level and the second risk level may be determined as the first risk information. . If the first risk level is higher than or equal to the second risk level, the first risk level is determined as the first risk information. If the first risk level is lower than the second risk level, the second risk level is determined as the first risk information.
  • the first risk level is determined based on the severity of the vulnerability
  • the second risk level is determined based on the severity of abnormal network behavior
  • the higher risk level among the first risk level and the second risk level is determined as the third risk level.
  • FIG. 4 is a flow chart of a security analysis method according to another embodiment of the present application. This embodiment illustrates the security analysis of operational technical equipment based on security-related data. As shown in Figure 4, the security analysis method 400 includes the following steps:
  • Step 401 Extract security events of operational technical equipment from security-related data, and determine the third risk level of the security events.
  • security events of operational technical equipment can be extracted from security-related events. Based on the severity of the impact of the security event on security, the third risk level of the security event can be determined. It should be understood that when extracting security events from security-related data, one security event may be extracted, or multiple security events may be extracted.
  • the risk level of security incidents can be divided into three levels: medium-high risk, medium risk, and low risk. If there are high-risk level security events among the extracted security events, the third risk level is determined to be the high-risk level. If each extracted security event only includes medium-risk level security events, or includes medium-risk level security events and low-risk level security events, then the third risk level is determined to be the medium-risk level. If each extracted security event only includes low-risk level security events, the third risk level is determined to be the low-risk level.
  • Step 402 Conduct a security analysis on the configuration of the operational technical equipment based on security-related data to obtain the fourth risk level.
  • the configuration information of operational technology equipment includes security policies, permission policies, log configurations, patch status, etc. Analyzing the configuration of operational technology equipment based on security-related data can identify unsafe configurations and misconfigurations of operational technology equipment and classify them according to severity levels Divide unsafe configurations and misconfigurations into corresponding levels to obtain the fourth risk level.
  • unsafe configurations and misconfigurations are divided into three levels: high risk, medium risk, and low risk according to the severity level. For example, if a missing critical patch may pose a high risk to operational technology equipment, the fourth risk level is determined to be high risk.
  • Step 403 Conduct security analysis on accounts operating technical equipment based on security-related data to obtain the fifth risk level.
  • unused administrator accounts for operational technology equipment can be identified, as well as improper configurations and weak passwords of administrator accounts to discover possible risks to operational technology equipment.
  • improper configurations and weak passwords can be obtained.
  • issues such as unused administrator accounts, improperly configured administrator accounts, and weak passwords are divided into three levels: high risk, medium risk, and low risk based on severity. For example, if an administrator account with a weak password may pose a high risk to operational technology equipment, the fifth risk level is determined to be high risk.
  • Step 404 Conduct security analysis on the processes and services of the operational technical equipment based on security-related data to obtain the sixth risk level.
  • Processes and services running on operational technology equipment can be identified based on security-related data, and then unsafe or unused processes and services on operational technology equipment can be determined based on the database security baseline to assess possible risks in operational technology equipment, and based on the risk The level determines the sixth risk level.
  • the risks caused by processes and services are divided into three levels: high risk, medium risk, and low risk.
  • high risk an unpatched shared service may be exploited by high-risk malware, which may pose a high risk to the operational technology equipment, so the sixth risk level is determined as a high risk level. If there are processes on the operational technology equipment that are not in the whitelist, the sixth risk level is determined as a medium risk level.
  • Step 405 Analyze the security log included in the security-related data to obtain the seventh risk level.
  • the security logs of operational technology equipment can be extracted, and possible abnormal behaviors or attack behaviors can be analyzed to identify malicious activities and evaluate the security status of operational technology equipment.
  • the seventh risk level can be determined based on the severity of the security status assessment results.
  • the security status of operational technology equipment is divided into three levels: high risk, medium risk, and low risk based on the severity of the assessment results. For example, a successful brute force password guessing attack could pose a high risk to operational technology equipment, then risk level seven would be determined as high risk.
  • Step 406 Determine the second risk information based on the third risk level, the fourth risk level, the fifth risk level, the sixth risk level and the seventh risk level.
  • the third risk level is determined based on security incidents occurring in operational technology equipment
  • the fourth risk level is determined based on an analysis of the configuration of operational technology equipment
  • the fifth risk level is determined based on an analysis of the accounts of operational technology equipment
  • the sixth risk level is determined based on an analysis of the accounts of operational technology equipment.
  • the level is determined based on the analysis of the processes and services of the operational technology equipment.
  • the seventh risk level is determined based on the analysis of the security logs of the operational technology equipment.
  • the third risk level, the fourth risk level, the fifth risk level, the sixth risk level are combined.
  • the risk level and the seventh risk level determine the second risk information of the operational technical equipment, so that the second risk information can more accurately reflect the safety status of the operational technical equipment, thereby ensuring the accuracy of the trust level determined based on the second risk information.
  • the third risk level, the fourth risk level, the fifth risk level, the sixth risk level and the The highest risk level among the seven risk levels is determined as the second risk information.
  • the third risk level is determined based on the severity of the security incident
  • the fourth risk level is determined based on the severity of the configuration problem
  • the fifth risk level is determined based on the severity of the account problem
  • the sixth risk level is determined based on the severity of the process and service problem
  • the seventh risk level is determined based on the severity of the abnormal behavior.
  • the highest risk level from the third risk level to the seventh risk level is determined as the second risk information, so that the second risk information can be downwardly compatible with the third risk level to the seventh risk level.
  • FIG. 5 is a flow chart of a trust level determination method according to an embodiment of the present application. This embodiment illustrates the process of determining the trust level of operational technical equipment based on the first risk information and the second risk information. As shown in Figure 5, the trust level determination method 500 includes the following steps:
  • Step 501 Obtain system status data of operational technical equipment.
  • the agent program 206 can not only collect security-related data of the operational technology equipment 201, but also collect system status data of the operational technology equipment 201.
  • the system status data is obtained by the trust level analysis module 204 in a push or pull manner. arrive.
  • the trust level analysis module 204 performs security analysis on the operational technology equipment 201 according to the system status data according to the equipment trust level analysis method provided by the embodiment of the present application to determine the trust level of the operational technology equipment 201 .
  • System status data includes central processor utilization, graphics processor utilization, random access memory utilization, system disk performance, resource usage of abnormal processes, network bandwidth usage, etc.
  • Step 502 Conduct security analysis on the operational technical equipment based on the system status data to obtain third risk information.
  • Abnormal system status of operational technical equipment may be caused by security incidents or abnormal activities.
  • the severity of the system status abnormality is determined based on the system status data, and third risk information indicating the severity of the system status abnormality is obtained.
  • system status abnormalities can be divided into three levels: high risk, medium risk, and low risk.
  • a first threshold and a second threshold are set in advance for the parameter, and the first threshold is greater than the second threshold. If the value of at least one parameter included in the system status data is greater than the corresponding first threshold, the third risk information is determined to be a high risk level. If the value of each parameter included in the system status data is less than or equal to the corresponding first threshold, and there is at least one parameter whose value is greater than the corresponding second threshold, then the third risk information is determined to be a medium risk level. If the values of each parameter included in the system status data are less than or equal to the corresponding second threshold, the third risk information is determined to be a low risk level.
  • the third risk information is determined to be a high risk level.
  • Step 503 Determine the risk information corresponding to a higher risk level among the first risk information and the second risk information as comprehensive risk information.
  • the first risk information is the higher risk level among the first risk level and the second risk level
  • the second risk information is the higher risk level among the third risk level to the seventh risk level
  • the first risk information may be a high risk level, a medium risk level or a low risk level
  • the second risk information may also be a high risk level, a medium risk level or a low risk level.
  • the comprehensive risk information is a high risk level.
  • Step 504 Modify the comprehensive risk information according to the third risk information to obtain target risk information.
  • the third risk information is determined based on the system status of the operational technology equipment.
  • the system status can more intuitively indicate the security issues of the operational technology equipment.
  • the comprehensive risk information is a medium risk level
  • the third risk information is a high risk information.
  • safety problems in operational technical equipment may cause high risks, and then the comprehensive risk information can be revised to a high risk level, that is, the target risk information For high risk level.
  • Step 505 Determine the trust level of the operational technical equipment based on the target risk level.
  • the trust level of operational technology equipment is negatively related to the risk level corresponding to the target risk information.
  • the target risk information can be high risk level, medium risk level or low risk level.
  • the trust level of operational technical equipment includes high trust level, medium trust level and low trust level. If the target risk information is a high risk level, the trust level is a low trust level. If the target risk information is a medium risk level, the trust level is a medium trust level. If the target risk information is a low risk level, the trust level is a high trust level.
  • the trust level is positively related to the credibility of operational technology equipment, that is, the higher the trust level, the higher the credibility of operational technology equipment.
  • the trust level includes a high trust level, a medium trust level and a low trust level
  • the credibility of the high trust level is higher than the credibility of the medium trust level
  • the credibility of the medium trust level is higher than the credibility of the low trust level.
  • the first risk information is determined based on the traffic data
  • the second risk information is determined based on the security-related data
  • the third risk information is determined based on the system status information
  • the first risk information, the second risk information and the third risk information are determined based on the system status information.
  • Risk information is used to determine the trust level of operational technology equipment, and the trust level of operational technology equipment is evaluated through traffic data, security-related data and system status data, so that the zero-trust environment can more comprehensively identify the security status of operational technology equipment and more quickly Discover non-compliant and uncertain states of operational technology equipment to ensure the security of industrial networks and operational technology equipment.
  • traffic data, security-related data and system status data may not be all obtained. For example, only traffic data and security-related data are obtained, but system status data is obtained, or only to some traffic data, some security-related data and some system status data, etc.
  • the risk level determined based on the missing part of the data is determined as the default risk level, for example, the default risk level is the low risk level, thereby ensuring that the trust level determination process can proceed normally, making the device trust provided by the embodiment of this application
  • the hierarchical analysis method has strong applicability.
  • FIG. 6 is a schematic diagram of a device trust level analysis device according to an embodiment of the present application. As shown in Figure 6, the device trust level analysis device 600 includes:
  • Collection unit 601 used to collect traffic data of operational technical equipment in the industrial network
  • the acquisition unit 602 is used to acquire safety-related data of operational technical equipment
  • the first analysis unit 603 is used to perform security analysis on operational technical equipment based on traffic data and obtain first risk information;
  • a second analysis unit 604 configured to perform a security analysis on the operational technical equipment according to the security-related data to obtain second risk information
  • the integration unit 605 is configured to determine the trust level of the operational technical equipment based on the first risk information and the second risk information.
  • FIG. 7 is a schematic diagram of an electronic device provided in Embodiment 4 of the present application.
  • the specific embodiment of the present application does not limit the specific implementation of the electronic device.
  • the electronic device 700 provided by the embodiment of the present application includes: a processor (processor) 702, a communications interface (Communications Interface) 704, a memory (memory) 706, and a bus 708. in:
  • the processor 702, the communication interface 704, and the memory 706 communicate with each other through the bus 708.
  • Communication interface 704 is used to communicate with other electronic devices or servers.
  • the processor 702 is used to execute the program 710, and specifically can execute the relevant steps in the above-mentioned device trust level analysis method embodiment.
  • program 710 may include program code including computer operating instructions.
  • the processor 702 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application.
  • the one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
  • Memory 706 is used to store programs 710.
  • Memory 706 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the program 710 may be specifically used to cause the processor 702 to execute the device trust level analysis method in any of the foregoing embodiments.
  • each step in program 710 please refer to the corresponding steps and corresponding descriptions in the units in the above device trust level analysis method embodiment, and will not be described again here.
  • Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding process descriptions in the foregoing method embodiments, and will not be described again here.
  • the traffic data of the operational technical equipment is collected, and the safety-related data of the operational technical equipment is obtained.
  • the first risk information is obtained by analyzing the flow data
  • the second risk information is obtained by analyzing the safety-related data.
  • both the first risk information and the second risk information can indicate the impact of the operational technology equipment on the security of the industrial network
  • the trust level of the operational technology equipment can be determined based on the first risk information and the second risk information.
  • the trust level of the operational technology equipment does not meet the requirements, it means that the operational technology equipment will have a greater impact on the security of the industrial network, and the operational technology equipment will be removed from the industrial network. It can comprehensively and timely discover operational technology equipment with security problems in the industrial network and remove them from the industrial network, thereby improving the security of the industrial network.
  • the present application also provides a computer-readable storage medium that stores instructions for causing a machine to execute the device trust level analysis method as described herein.
  • a system or device equipped with a storage medium may be provided, on which the software program code that implements the functions of any of the above embodiments is stored, and the computer (or CPU or MPU) of the system or device ) reads and executes the program code stored in the storage medium.
  • the program code itself read from the storage medium can implement the functions of any one of the above embodiments, and therefore the program code and the storage medium storing the program code form part of this application.
  • Examples of storage media for providing program codes include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Tapes, non-volatile memory cards and ROM.
  • the program code can be downloaded from the server computer via the communications network.
  • the program code read from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then based on the instructions of the program code, a CPU installed on the expansion board or expansion module is enabled to perform part or all of the actual operations, thereby realizing the functions of any of the above-mentioned embodiments.
  • Embodiments of the present application also provide a computer program product, which is tangibly stored on a computer-readable medium and includes computer-executable instructions that, when executed, cause at least one processor to Execute the device trust level analysis method provided by the above embodiments. It should be understood that each solution in this embodiment has the corresponding technical effects in the above method embodiment, and will not be described again here.
  • the hardware module can be implemented mechanically or electrically.
  • a hardware module may include permanently dedicated circuitry or logic (such as a specialized processor, FPGA, or ASIC) to complete the corresponding operation.
  • Hardware modules may also include programmable logic or circuits (such as general-purpose processors or other programmable processors), which can be temporarily set by software to complete corresponding operations.
  • the specific implementation method mechanical method, or dedicated permanent circuit, or temporarily installed circuit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente demande concerne un procédé et un appareil d'analyse d'un niveau de confiance de dispositif, un dispositif électronique, et un support de stockage. Le procédé d'analyse d'un niveau de confiance de dispositif comprend les étapes suivantes : acquisition de données de trafic d'un dispositif doté d'une technologie opérationnelle dans un réseau industriel ; obtention de données relatives à la sécurité du dispositif doté d'une technologie opérationnelle ; mise en œuvre d'une analyse de sécurité sur le dispositif doté d'une technologie opérationnelle selon les données de trafic, et obtention de premières informations de risque ; mise en œuvre d'une analyse de sécurité sur le dispositif doté d'une technologie opérationnelle selon les données relatives à la sécurité, et obtention de secondes informations de risque ; et détermination du niveau de confiance du dispositif doté d'une technologie opérationnelle selon les premières informations de risque et les secondes informations de risque. Selon la présente solution, la sécurité d'un réseau industriel peut être améliorée.
PCT/CN2022/121079 2022-09-23 2022-09-23 Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage WO2024060245A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/121079 WO2024060245A1 (fr) 2022-09-23 2022-09-23 Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/121079 WO2024060245A1 (fr) 2022-09-23 2022-09-23 Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage

Publications (1)

Publication Number Publication Date
WO2024060245A1 true WO2024060245A1 (fr) 2024-03-28

Family

ID=90453779

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/121079 WO2024060245A1 (fr) 2022-09-23 2022-09-23 Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage

Country Status (1)

Country Link
WO (1) WO2024060245A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10530749B1 (en) * 2016-10-24 2020-01-07 Mission Secure, Inc. Security system, device, and method for operational technology networks
CN112074834A (zh) * 2018-05-03 2020-12-11 西门子股份公司 用于运营技术系统的分析装置、方法、系统和存储介质
CN112491860A (zh) * 2020-11-20 2021-03-12 国家工业信息安全发展研究中心 一种面向工业控制网络的协同入侵检测方法
CN113039755A (zh) * 2018-12-26 2021-06-25 西门子股份公司 用于工业控制系统的监测方法、装置、系统和计算机可读介质
US20210288995A1 (en) * 2020-03-16 2021-09-16 Otorio Ltd. Operational Network Risk Mitigation System And Method
US20220103592A1 (en) * 2020-09-30 2022-03-31 Forescout Technologies, Inc. Enhanced risk assessment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10530749B1 (en) * 2016-10-24 2020-01-07 Mission Secure, Inc. Security system, device, and method for operational technology networks
CN112074834A (zh) * 2018-05-03 2020-12-11 西门子股份公司 用于运营技术系统的分析装置、方法、系统和存储介质
CN113039755A (zh) * 2018-12-26 2021-06-25 西门子股份公司 用于工业控制系统的监测方法、装置、系统和计算机可读介质
US20210288995A1 (en) * 2020-03-16 2021-09-16 Otorio Ltd. Operational Network Risk Mitigation System And Method
US20220103592A1 (en) * 2020-09-30 2022-03-31 Forescout Technologies, Inc. Enhanced risk assessment
CN112491860A (zh) * 2020-11-20 2021-03-12 国家工业信息安全发展研究中心 一种面向工业控制网络的协同入侵检测方法

Similar Documents

Publication Publication Date Title
CN106462702B (zh) 用于在分布式计算机基础设施中获取并且分析电子取证数据的方法和系统
CN111698255B (zh) 一种业务数据传输方法、设备及系统
CN106828362B (zh) 汽车信息的安全测试方法及装置
CN111274583A (zh) 一种大数据计算机网络安全防护装置及其控制方法
CN103905450A (zh) 智能电网嵌入式设备网络检测评估系统与检测评估方法
CN110943984B (zh) 一种资产安全保护方法及装置
CN109063486B (zh) 一种基于plc设备指纹识别的安全渗透测试方法与系统
CN110708315A (zh) 资产漏洞的识别方法、装置和系统
KR101585342B1 (ko) 이상행위 탐지 장치 및 방법
EP4185975B1 (fr) Détection de numération anormale de nouvelles entités
WO2024007615A1 (fr) Procédé et appareil d'entraînement de modèle, et dispositif associé
US11863577B1 (en) Data collection and analytics pipeline for cybersecurity
CN115147956A (zh) 数据处理方法、装置、电子设备及存储介质
CN113328914B (zh) 工控协议的模糊测试方法、装置、存储介质及处理器
US20230129114A1 (en) Analysis system, method, and program
EP3873056A1 (fr) Système et procédé d'évaluation d'un impact d'un logiciel sur des systèmes d'automatisation et de contrôle industriels
US20240080330A1 (en) Security monitoring apparatus, security monitoring method, and computer readable medium
JP7396371B2 (ja) 分析装置、分析方法及び分析プログラム
WO2024060245A1 (fr) Procédé et appareil d'analyse de niveau de confiance de dispositif, dispositif électronique, et support de stockage
CN112699369A (zh) 一种通过栈回溯检测异常登录的方法及装置
CN113037766A (zh) 多场景下的资产安全健康度综合评估方法
CN112583597A (zh) 使用库存规则来识别计算机网络设备的系统及方法
CN115859298A (zh) 一种电力主站系统动态可信计算环境架构和方法
US11599443B2 (en) System and method for assessing an impact of malicious software causing a denial of service of components of industrial automation and control systems
CN117391214A (zh) 模型训练方法、装置及相关设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22959247

Country of ref document: EP

Kind code of ref document: A1