WANG Fangyuan

(Hengan Jiaxin (Beijing) Technology Co., Ltd., Beijing 100086, China)

Abstract:Under the new situation of "integration of industrialization and industrialization" in China, security situational awareness is an important means to solve the problems of unclear boundaries, multiple roles and complex business relationships of industrial Internet. The main contents of the platform include industrial data collection, industrial protocol identification, industrial asset detection and industrial threat monitoring. Among them, risk prevention and detection, key data protection, cloud platform and identification resolution node protection are all important issues. On the one hand, escorting the industrial Internet business needs to summarize the industrial Internet network security data and master the network security situation from the overall perspective. On the other hand, it is also necessary to establish an industrial Internet platform security early warning and emergency response process system, promote the security rectification of industrial platform enterprises, find the security threats and risks that have been hidden in the industrial Internet platform for a long time, and provide perception and decision-making support for enterprises.

Keywords: industrial internet security; situation awareness; safety protection

1 Overview of industrial Internet security situation awareness

China′s industrial Internet security situational awareness is derived from the industrial Internet security monitoring and protection oriented in network security situational awareness. The security development of the industrial Internet is an important branch of the development of the network security "cloud,big,material,mobile,and industrial" subdivisions. It has gone through three stages:the embryonic stage,the development stage,and the normative stage. At present,it is moving forward rapidly towards the mature stage. Industrial Internet security situational awareness refers to the comprehensive security monitoring and awareness capabilities related to industrial Internet related business systems,various devices,network channels and data storage[1].

At the moment when the industrial Internet is developing in full swing,the Internet of Things(IOT)technology,cloud computing technology,industrial big data technology and 5G technology are widely penetrating into every process of industrial production. Large traffic,high concurrency and high complexity are its important characteristics[2]. Different from general system construction,industrial Internet security is the combination of industrial control system security and Internet security. Its challenges are more arduous,requiring agile,intelligent and accurate monitoring and early warning to control and guarantee. Situation awareness is a necessary technical means. Industrial Internet security situational awareness system generally has the following characteristics:

1.1 Unclear boundary and flexible security monitoring

Different from the relatively clear responsibility boundary of traditional network security,the production,use and maintenance of products required in the industrial Internet belong to the connection management category,and the system boundary is infinitely enlarged. No matter in terms of scope or complexity,risk level and threat impact,it is much larger,ranging from industrial enterprise shutdown to equipment damage out of control and even casualties. In the industrial Internet system,the "Internet of Everything" makes the production and use links closely connected,promoting its customization and intelligence. However,production equipment,control equipment,monitoring equipment and production products are widely integrated with various application systems and software,which will also be exposed to hackers′attacks,greatly increasing security risks. A wide range of borders need flexible security monitoring capabilities to complement them.

1.2 The role has many contents and involves a wide range of objects

The monitoring roles involved in industrial Internet security situational awareness include identification resolution nodes,industrial Internet platforms,industrial application equipment,industrial control systems,industrial apps,etc. Each role needs to consider the corresponding data collection,asset identification,security monitoring,situation analysis,early warning disposal,etc.,which also needs to deal with different attributes of its IP address,network protocol,and application system.

1.3 Complex business connection and high technical difficulty

External two-way flow,and has made great strides towards deep customization and intelligent manufacturing,thus forming a network connection involving buyers,sellers,materials,regulators,producers and other parties. Currently,industrial equipment manufacturers are relatively independent,and the protocols and encryption technologies used by industrial systems and equipment are different. The construction of industrial Internet security situational awareness needs to be analyzed and adapted one by one. At the same time,since the core goal of industrial Internet is to support the ubiquitous connection,flexible supply and efficient allocation of manufacturing resources of industrial enterprises to help enterprises upgrade and transform,it requires that the suggestion of industrial Internet security situational awareness should focus on ensuring smooth production,which further improves the technical difficulty.

2 Main contents of industrial Internet security situational awareness

The industrial Internet security situational awareness platform mainly involves industrial data collection,industrial protocol identification,industrial asset detection and industrial security monitoring. In actual work,it is necessary to map the industrial Internet boundaries and assets from five perspectives of protection objects,security roles,security threats,security measures and life cycle,detect and warn of network security attacks in the industrial production process,analyze and guarantee the transmission of sensitive data,and guide and reinforce vulnerabilities and risks.

2.1 Industrial data acquisition

Industrial data acquisition can adopt a combination of flow mirror/spectroscopic passive monitoring,industrial and information equipment asset information collection and program active scanning detection. The types of data collected include asset data,traffic data,security events,vulnerability information,honeypot logs,etc[3]. The content involved includes industrial classification,website filing,IP filing,enterprise scale,industrial application,industrial agreement,etc. The purpose of data collection is to achieve real-time risk monitoring and threat profiling for the subjects of industrial Internet security situational awareness protection,such as industrial equipment,industrial networks,industrial systems,industrial enterprises,industrial industries,industrial parks,industrial Internet service platforms,etc.,to track industrial Internet activities in real time based on preset features,strategies,models and logical algorithms,and to map multi-dimensional production vitality,security vulnerability trend curve.

2.2 Identification of industrial agreements

Protocol identification and analysis is an important basis for network security analysis. Industrial protocol identification mainly focuses on the decoding ability of industrial communication protocols. The industrial Internet communication protocol is different from the traditional network protocol. In order to consider its security attributes,enterprises usually use special protocols to work. Common protocols include Modbus,HSE,ProflNet,Ethernet,etc. Each type of industrial protocol has different encoding methods,so different decoding methods are required to realize reverse data decoding. At present,there are more than 100 industrial protocols that are widely used. When considering data acquisition and deployment,we need to require that the equipment be able to identify and analyze a variety of industrial protocols,and support the supplement of the resolution capability of new protocols.

2.3 Industrial asset detection

Originating from the important attribute of extensive connection of industrial Internet,the equipment terminals and network environment in industrial Internet often change frequently. The adjustment of equipment and network environment is bound to have an impact on industrial Internet network security. Monitoring dynamic change events is an essential part of industrial Internet security situational awareness,which is usually monitored and managed by combining passive registration with active detection. For detection,the active access method is adopted to determine whether there are industrial equipment,applications and platforms under the corresponding address and port. Asset detection is a relatively mature technology,but in the industrial Internet system,due to the large variety of equipment,different ports and protocols,we need to test and adapt the industrial assets. The purpose is to detect the systems,applications,versions,open ports,etc. involved in the induction network and make a preliminary judgment on vulnerabilities and risks according to the mastered situation.

2.4 Industrial threat monitoring

How to do a good job in security detection,early warning and protection in the complex network environment of industrial Internet,the current common practice is to seek basic experience from mature network security construction and protection,and then adjust and optimize in combination with the characteristics of industrial Internet[4]. Because of the importance of industrial production and the mechanism of industrial Internet threat monitoring,it has a wider dimension and higher timeliness requirements than traditional network security threat monitoring. On the one hand,during the implementation of threat monitoring,it is necessary to quantify the suspicious attacks and potential vulnerabilities detected both internally and externally,and real-time and dynamic visual vertical threat monitoring. On the other hand,it is also necessary to consider the data integration of interaction among peers,such as industrial equipment,industrial Internet platforms,industrial enterprise production networks,industrial parks,and industrial industries,to achieve horizontal security situation monitoring and management.

3 Industrial Internet security situation awareness solution

The industrial Internet spans the whole production factors,the whole industry chain and the whole value chain. It is an important information infrastructure for the digital,networked and intelligent development of industry. The capability infrastructure of industrial Internet security situational awareness platform includes equipment,control,application,network and data. Due to its uniqueness,the core issues of concern include risk prevention and detection,protection of key data,protection of cloud platforms,and protection of identity resolution nodes.

3.1 Risk prevention and detection

The risk prevention and detection technology of the industrial Internet mainly starts from four dimensions:1)it uses the general network security attack characteristics that have been mastered and re classifies and screens according to the actual links and importance of the industrial Internet to assess the type of attack and the risk degree of harm. 2)build a file oriented detection capability,especially for executable files,which requires the ability to build Windows environment,Android environment,Linux environment and specific industrial operation environment in the protection object,so that suspicious files extracted from these environments can be executed,identify risks and trace sources. 3)construct multiple industrial Internet simulation environments,and deliberately leave a few hidden vulnerabilities as bait. Once a hacker wants to attack the protected object,the simulation environment will become an important breakthrough and launch corresponding attacks. These attacks will be detected and alerted by the monitoring means deployed in advance to achieve the purpose of early warning and scare off the "enemy". 4)log audit of login behavior,browsing behavior,modification behavior and transmission behavior for key equipment and systems. With the help of record comparison of real operation behavior of personnel,traces left by hacker intrusion can be found in time to prevent intrusion in time.

3.2 Protection of critical data

Industrial Internet data refers to the data generated or used by various links and processes of industrial production and operation,involving a wide range of subjects and types. In general,industrial data security capabilities focus on data encryption transmission,encrypted storage,etc.,but are weak in data classification,access control,sensitive identification,etc. Therefore,the protection of key data needs to complement the classification,access control and sensitive identification capabilities on the basis of strengthening the common practices. Its core idea borrows from the current popular data security. The implementation plan is usually divided into three parts:1)priority is given to the classification of the protected data,and corresponding protection measures are taken for different classification,so as to "know it well". 2)according to the scope of data use,the user should set the corresponding access strategy to achieve the goal of "dedicated" data. 3)build the data flow monitoring capability,set the sensitive type,sensitive format and sensitive name for real-time monitoring,and the transmission of key data in the original responsibility needs to be encrypted. Therefore,once it is found that the traffic is not encrypted and meets the sensitive characteristics,an alarm can be triggered.

3.3 Cloud platform protection

While the industry actively promotes the networking of industrial enterprises and equipment,it also actively promotes the cloud operation of relevant systems and platforms. Therefore,the protection of cloud platforms has become one of the important issues in industrial Internet security situational awareness. The current main problems of industrial Internet cloud platforms lie in the general lack of standardized data access control,reliable security service establishment,and unified industry interfaces. To solve this part of security protection problem,we need to pay special attention to the security of microservice establishment,the security of industrial application development environment,the visualization of traffic in virtual machines,and set up an intra cloud network threat isolation mechanism to strengthen the security of virtualization software on the basis of clarifying the relationship. Actively promote the construction of open and universal industry interfaces. Generally,"the simpler","the more standard",the safer.

3.4 Identification resolution node protection

Identification resolution of industrial Internet is an important network infrastructure of industrial Internet. It provides coding,registration and resolution services for industrial equipment,machines,materials,parts and products,and realizes interconnection,security sharing and intelligent association of heterogeneous information from different hosts,different places and different products through identification. It is an important cornerstone for the rapid development of industrial Internet.

The construction of industrial Internet security situational awareness platform needs to realize the node discovery of industrial Internet identity resolution,the identification of communication protocols and the monitoring of normal resolution behavior,as well as the detection and early warning of abnormal risk behavior,and send risk early warning to resolution nodes and attacked enterprises in a timely manner through asset related information and guide the reinforcement and repair.

4 Conclusion

At present,although governments of all countries are actively guiding industrial enterprises to pay more attention to and invest in network security in the process of industrial Internet transformation and upgrading,the complexity of industrial Internet security still exceeds what enterprises think. Industrial Internet security is no longer a problem that can be solved by a single enterprise,industry or company. In the face of complex industrial Internet security protection,more organizations and departments need to participate together,establish a flexible and responsive information sharing and linkage disposal mechanism,and achieve multi-party linkage to solve more complex and volatile industrial Internet security problems. Realizing complementary defense capabilities in the dynamic development can not only achieve the synergy and efficiency of technology and capabilities,but also avoid the waste of resources,which guarantees the development of China′s industrial Internet.