The deep integration of new IT technology and traditional industrial OT technology makes industrial systems gradually interconnected and open, which also aggravates the security risks faced by industrial manufacturing and brings more arduous security challenges. According to CNCERT's summary of Internet security situation in China in 20 19, the average number of attacks on large industrial Internet platforms in China is 90 times a day.
Industrial Internet connects a large number of industrial control systems and equipment, gathers massive industrial data, and builds an industrial Internet application ecosystem, which is closely related to industrial production and enterprise management. Once invaded or attacked, it may cause industrial production stagnation, which will not only affect individual enterprises, but also spread to the whole industrial ecology, causing great losses to the national economy, affecting social stability and even posing a threat to national security.
Recently, a major industrial safety accident happened, which had a bad influence. On May 7th, Colonial Pipeline, the largest supplier of fuel transportation pipeline in the United States, was attacked by ransomware, and the 5500-mile oil pipeline was forced to stop, which seriously affected the fuel supply on the east coast of the United States. The United States declared a state of emergency for the first time because of cyber attacks.
According to the different protected objects, the security threats faced by the convergence of 5G and industrial Internet are analyzed from four aspects: network access, industrial control, industrial data and application access.
0 1
Network access security
5G opens the era of internet of everything. The integration of 5G and industrial Internet makes it possible to access a large number of industrial terminals, such as CNC machine tools, industrial robots, AGV and other high-value key production equipment. If these key terminal devices have vulnerabilities, defects, back doors and other security problems, once exposed to the relatively open 5G network, it will bring an increase in attack risk points.
02
Industrial control safety
The traditional industrial network is relatively closed, lacking the overall safety concept and overall safety management and protection system. For example, the design framework of various industrial control protocols, control platforms and software itself lacks complete security verification means, such as data integrity, identity verification and other security designs, authorization and access control are not strict, and identity verification is insufficient. The security problems faced by all kinds of innovative industrial application software expose the relatively closed industrial network to the Internet, which increases the risk that industrial control protocols and industrial IT systems are attacked and utilized.
03
Data transmission and call security
The large-scale application of emerging IT technologies, such as cloud computing and virtualization technology, in the industrial Internet has not only promoted the use efficiency of key industrial equipment and improved the intelligence and transparency of the overall manufacturing process, but also broken the original closed and autonomous industrial network environment, making the security boundary more blurred or even weakened. Various external application data streams and access to data resources in the factory lack sufficient transparency and corresponding regulatory measures. At the same time, various open API interfaces and multi-application access make the production management data and production operation data in the traditional closed manufacturing industry open to flow, interact, flow and enjoy with various applications and data sources outside the factory, which greatly increases the risk of safe transmission and storage of industrial data.
04
Access security
The application of various innovative scenarios at the core of industrial Internet has brought more participants' basic networks, OT networks, production equipment, applications and systems. Through deep integration with 5G networks, they have brought more efficient network service capabilities and benefited from more flexible access methods, but they have also brought new risks and challenges, and application access security issues have become increasingly prominent.
Aiming at the security problems encountered by the industrial Internet, the optical grid network of Evervite Networks, a subsidiary of Qingyun Technology, is oriented to the industrial Internet industry, and SD-NAAS (Software Defined Network &: Security-as-a-service (Security as a service) software-defined network and security-as-a-service (security as a service) solution are designed based on a zero-trust network security model with unified identity security authentication and access control, and unified east-west traffic and north-south traffic. With the help of SD-NaaS, the industrial Internet platform can build a dynamic virtual boundary, which will not directly expose applications to the outside world, provide real-time authentication and dynamic authorization of access terminals/networks for the industrial Internet, effectively control the access behavior of internal and external users, terminal equipment, industrial hosts in factories, edge computing gateways, application systems and other access subjects to the industrial Internet platform, and comprehensively improve the security protection capability of the industrial Internet. Help enterprises use the zero-trust network security protection architecture to build an industrial Internet security system, so that 5G, edge computing, Internet of Things and other capabilities can better serve the development of industrial Internet.
The industrial Internet security system based on optical grid SD-NaaS architecture can be roughly divided into four levels:
Network Security Access Based on Unified Identity Authentication
Firstly, the SD-NaaS platform introduces the concept of zero trust security, which enables a brand-new identity authentication management mode for all kinds of users and industrial control terminals accessing the industrial Internet, and provides comprehensive authentication services, dynamic business authorization and centralized policy management capabilities. SD-NaaS continuously collects log information of access terminals, continuously evaluates the trust of terminals by combining identity database, authority database, big data analysis and identity portrait, and dynamically authorizes network access based on identity, authority, trust level and security policy.
Industrial safety control with minimum authority and dynamic authorization
Secondly, in view of the security risks faced by industrial control networks in the era of industrial Internet, SD-NaaS zero-trust network platform proposed a brand-new control authority allocation mechanism. Based on the principle of "minimum authority and dynamic authorization", control authority judgment is no longer based on simple static rules (IP black and white list, static authority policy, etc.). ), but based on different identities and trust levels such as industrial control administrators, engineers and operators. Control the security policies of different terminals, such as servers, field control equipment and measuring instruments, as well as different industrial control command permissions, and dynamically evaluate and authorize them in combination with big data security analysis, so as to realize minimum authorization and fine access control of industrial boundaries. This can prevent the industrial control network from being threatened by unknown vulnerabilities, and at the same time, it can effectively prevent the harm caused by abnormal operation of operators.
End-to-end encryption, good authorized data protection
Massive industrial data will be produced in industrial production, including R&D design, development and testing, system equipment assets information, control information, working conditions, process parameters and so on. There are a lot of data sharing and collaborative processing requirements between applications on the platform. SD-NaaS platform provides a stronger end-to-end data security protection method. Through real-time trust detection and dynamic evaluation of the security level of access behavior, a secure encrypted tunnel is established to ensure the safety and reliability of data flow between applications. At the same time, API interaction and database call between various industrial systems, such as production quality control system, automatic cost accounting system and production progress visualization system. The SD-NaaS platform can realize fine-grained operation authority control, and audit all behaviors such as adding, deleting, modifying and querying.
Application protection through application hiding and proxy access
Finally, SD-NaaS platform uses SDP security gateway and MSG micro-segmentation technology to realize the application stealth and secure access proxy of industrial Internet platform, effectively manage the network boundary and exposed surface of industrial Internet platform, and dynamically authorize the minimum granularity (such as production data, inventory information, invoicing management, etc.). ) Based on different identities such as engineer, operator, procurement, sales and supply chain, all access behaviors are reviewed, and an all-round and all-weather application security protection barrier is constructed.
Based on the optical grid network SD-NaaS solution, it has achieved safe and reliable landing in industrial vision, intelligent inspection, remote driving, AI video surveillance and other scenes; Help enterprises to build an industrial cloud platform that supports ubiquitous connection, flexible supply and efficient configuration of manufacturing resources on the basis of ensuring safety, and explore new modes and new formats of digital and intelligent transformation and development of industrial manufacturing by using the industrial Internet platform.
Best practices of SD-NaaS:
Apply for optical network product solutions
Click to apply for using optical network product solutions.
I have a good teacher.
I have a good teacher who is knowledgeable and kind to students. Her big bright eyes reveal simplicity and warmth. She did