The first step in implementing industrial Internet security is to ensure protection capabilities in the environment, followed by testing/audit capabilities. The "Industrial Internet Security Capacity Guide" released by Thundersea Consulting is the industrial control protection ca

The first step in implementing industrial Internet security is to ensure protection capabilities in the environment, followed by testing/audit capabilities. Spanish Consulting The "Industrial Internet Security Capability Guide" released this time is the industrial control protection capability part in the report, as well as the industrial control detection/auditation capability part.

Industrial Internet Security Capability Guide - Industrial Control Protection Capability

In the field of security, one of the most important tasks is to deal with threats, which requires protection capabilities. In this report, the scope of industrial control protection capabilities is as follows:

In the industrial Internet environment, it can conduct technologies, products or solutions that involve interference or disposal of threats and abnormal behaviors found in OT-related scenarios, including detection, blocking, intercepting requests, and prohibiting processes.

The protection capability in the industrial Internet environment plays an important role in the security of the entire industrial Internet: the first thing that needs to be guaranteed in the industrial Internet scenario is production sustainability - that is, threats cannot produce production accidents, and at the same time, the handling of threats should not interfere with production excessively. Especially for enterprises with very limited budgets, industrial control protection products will be the most preferred area of ​​investment - only by ensuring production stability first, then having more effort to discover potential risks in the environment and abnormal behaviors that have occurred in the past.

The industrial control protection capability in this report belongs to the industrial control system security part of the digital security capability map, in the industry environment, and industrial Internet security. Since the safety of industrial control system covers a lot of products and solutions, this report is divided into industrial control protection capabilities and industrial Internet security detection/audit capabilities.

Key discovery

• 's main product forms of industrial control protection capabilities are three: industrial control firewall, industrial control network gate, and industrial control terminal security protection/host guard. However, depending on the situation where different manufacturers respond to different needs, the product form will also undergo some changes.
• industrial control protection capabilities must first be "operable without interference". The key capabilities lie in "in-depth protocol analysis" and "whitelist" technologies. However, it should be noted that "in-depth protocol analysis" may represent different meanings for different manufacturers. When purchasing related products, companies need to clarify the specific content of the manufacturer being able to analyze the agreement.
• From a market perspective, although the overall revenue of industrial control protection products is still on the rise, its revenue share in the entire industrial Internet security will gradually decline.

industrial control protection capability dot map

There are 23 manufacturers participating in industrial control protection capabilities this time, including: Andi Technology, Anheng Information, Anmeng Information, Bozhi Security, Changyang Technology , Cathay Network Information, Huajing Security, Huierte, Jiesi Security, Lisichen Anke, Liufang Cloud, Luo'an Technology, Green League Technology , Mulian Technology, Qi'an Technology, Qimingxingchen , Rong'an Network, Shenxinda, Shengborun , Tiandi Hexing, Tianrongxin , Vinut , Insec.

Industrial control protection capabilities Main product forms

In this survey, the main product forms of industrial control protection capabilities are the following three: industrial control firewall, industrial control network gate, industrial control terminal security protection/host guard.

Industrial Control Firewall

Industrial Control Firewall Department plays the role of boundary separation in the industrial control network, ensuring that one partition will not be attacked from another partition. The industrial control firewall controls the command interaction between different networks. Especially when the upper computer is attacked and issues abnormal instructions to industrial production machines, the industrial control firewall needs to be able to identify and take corresponding measures including alarms. Therefore, the industrial control firewall is the primary line of defense in the current industrial Internet scenario.

Industrial control firewalls have the value of traditional firewalls in industrial Internet security because they need to parse the characteristics of industrial unique protocols.

Industrial Control Network Gate

Industrial Control Network Gate plays a role in data ferrying in the industrial Internet - especially when safely transmitting data in the OT environment to a relatively open IT environment.

A major change in the industrial Internet compared to traditional industrial production is that in order to better improve production efficiency and grasp the production environment state, data needs to be transmitted to the IT environment - such as the industrial Internet platform. This will increase the attack surface for industrial data. The most important task of

industrial control network gate is to ensure that industrial data is only transmitted to trusted and authorized recipients, so as not to cause industrial data information leakage.

Industrial Control Terminal Security Protection/Host Guard

Industrial Control Terminal Security Protection is also called "Host Guard" by many manufacturers. It is a security capability to protect related hosts in industrial Internet scenarios. Industrial control terminal security protection/host guard is the last line of defense in the industrial Internet production environment due to its location.

Industrial Control Terminal Security Protection/Host Guards mainly adopt the protection method is a whitelist mechanism, which only allows normal and recognized systems in the industrial Internet environment to run, and prohibits the operation of abnormal programs.

Other product capabilities

0 The above three are the main product forms related to OT scenarios in the current industrial Internet security. On the other hand, in actual research, it was found that each manufacturer will have some different product forms according to its own capabilities and the different needs of its customers: for example, some security manufacturers will provide industrial control IPS products based on customer environment and needs; some manufacturers will also use external equipment protection capabilities such as USB management as separate products during the sales process, rather than part of industrial control terminal security protection/host guard products; some manufacturers will even provide a complete set of industrial control external equipment security management solutions for external equipment, including additional external equipment management and monitoring equipment.

Therefore, when purchasing industrial control protection products, customers need to confirm the specific product capabilities with the manufacturer based on their own security needs to ensure that the purchased products can fully cover their protective surface.

At the same time, in this survey, it was found that one of the directions of security capabilities in future industrial production scenarios is the combination of network equipment and security equipment. During this survey, it was found that some manufacturers have begun to integrate their security capabilities with network equipment (such as routers) in industrial production environments, becoming "industrial network equipment with security capabilities."

industrial control protection capabilities key points

For industrial control protection capabilities products, the following key capabilities need to be considered:

industrial environments are available

In industrial scenarios, equipment is first required to be available. Equipment availability does not only refer to the software level, but can theoretically realize the requirements in the industrial environment. The most critical premise is that the hardware itself can be available in the industrial production environment.

In industrial production environments, there will be many extreme environments, such as high temperature, low temperature, dust, etc., which will have a great impact on electronic equipment. For industrial manufacturers with strict production environments, when choosing industrial control protection products, they must consider whether the hardware protection of the equipment can resist the harsh production environment. If the device itself cannot operate normally due to lack of hardware protection, then no matter how strong the information protection capabilities are, it cannot truly protect the industrial Internet.

production has no impact

industrial control protection capability is an area where the most important thing is to seek a balance between security and business in the entire industrial Internet security. Judging from the functions of industrial control protection capabilities, it is necessary to be able to intercept requests, block suspicious sources, and prohibit certain applications from running. However, these behaviors may lead to interruption or even termination of production.

Therefore, it is particularly important whether industrial Internet security products can ensure safety without affecting production. Even in the industrial Internet scenario, for the sustainability of production, some small threats need to be allowed, but for threats that may cause accidents, it is necessary to cut it off as soon as possible. At the same time, the operation of industrial control protection products itself should not have adverse effects on the entire production environment.

protocol parsing capability

For industrial control protection capabilities, especially industrial control firewalls, protocol parsing capabilities are particularly critical.The in-depth protocol analysis capability not only identifies industrial protocols, but also requires the ability to analyze the specific contents of industrial protocols during information transmission. The parsing capability of the

protocol can be viewed from two aspects. One is " deep protocol parsing capability ". However, different security vendors do not have exactly the same definition of "in-depth protocol analysis". The contents contained in deep protocol analysis can include the identification of protocol instruction code, data address, and data values. When selecting industrial control firewalls, it is necessary to clarify the specific analysis content of the so-called "in-depth protocol analysis" of security manufacturers. Abnormal instruction communication can be found at the protocol instruction level, but the data value level can identify abnormal values ​​in normal instructions - to avoid accidents caused by improper parameters. Another notable capability of

protocol parsing is " custom protocol parsing capability ". In the industrial Internet environment, some private protocols do not appear as mainstream protocols, so they do not exist in the original protocol capabilities of security manufacturers. In this case, industrial control protection products need to have the ability to learn unknown protocols to achieve the ability to resolve unknown protocols.

elastic whitelist

whitelist is the main protection method for industrial control terminal security protection/host guard. By allowing only the licensed program to run, the purpose of ensuring the safety of the industrial control host is achieved.

However, whitelists also need to be learned based on the business environment of the enterprise, so as to develop a whitelist that meets environmental needs. From a development perspective, the industrial Internet will more flexibly allocate productivity based on the analysis of industrial data and the business needs of enterprises. Therefore, for some companies with faster digital transformation of , the industrial production environment itself will also change more frequently than before. This requires the whitelist to have the same flexibility. The elasticity of the whitelist of

can be viewed from two aspects. On the one hand, it is the learning speed of the whitelist, whether it can quickly learn and establish an accurate whitelist of industrial and agricultural Internet environments; on the other hand, it is whether the deployment efficiency of the whitelist is efficient. Although in terms of functions, one-click issuance can be achieved through the industrial Internet security management platform, in specific practical environments, each terminal is often updated one by one. At this time, the deployment rate of the whitelist determines the speed of production recovery.

Some manufacturers will use some blacklist or graylist mechanisms to increase the flexibility of whitelists. However, this type of mechanism also sacrifices a certain degree of security to pursue efficiency - this does not mean that this type of mechanism will not be safe, but relatively purely whitelisting mechanisms, security guarantees will be relatively reduced. In this process, enterprises also need to balance their needs: whether to pursue pure security and choose a complete whitelisting mechanism, or to reduce security a little to ensure efficiency during business conversion.

known threat protection capabilities

Although hostile forces are very likely to launch attacks on our country's critical infrastructure, this type of APT attack is still a minority. Industrial enterprises face more of daily known attacks or virus infections caused by illegal operations of personnel (such as illegal use of mobile storage devices). This type of threat is often known virus attacks, or exploits known vulnerabilities, so antivirus capabilities can withstand most of these attacks.

's protection against known threats depends on the security vendors' own vulnerability research capabilities in industrial systems and virus database update capabilities. This can be reflected in the number of industrial Internet-related vulnerabilities submitted by the manufacturer and the capabilities of the security research team. On the other hand, manufacturers with strong attack feature library capabilities can detect attack behavior more accurately and quickly through known attack behavior patterns.

Industrial Control Protection Capability Market Situation

• Industrial Control System Safety (the "Industrial Control Protection Capability" and "Industrial Control Inspection/Authment" sections in this report) are located in the development market maturity defined by Digital Consulting, concept market, emerging market, development market and mature market.

• According to the direction of this survey, my country's industrial control protection capacity revenue in 2019 was approximately RMB 630 million, and the overall revenue in 2020 was approximately RMB 1.03 billion. It is estimated that the revenue in 2021 will be RMB 1.41 billion, and it is expected to reach RMB 1.75 billion in 2022. As the key to the security of the entire industrial Internet, industrial control protection products account for the highest proportion of the total industrial Internet security. However, as customers' protection capabilities become more mature and the number of industrial Internet security products increases, investment will gradually shift to industrial Internet security management platform capabilities. The overall revenue share of industrial control protection products will gradually decline.
• industrial control protection products are currently mainly delivered by a single standardized product, accounting for 72%. Customized products and operations account for 17%; as a single function delivery, subscription model and other models account for 11%.
• From the perspective of sales methods, there is not much difference between direct sales by manufacturers and sales through channels. Direct sales (46%) account for a slightly higher proportion than channels (44%).
• At present, the main industry of industrial control protection capabilities is electricity, accounting for 31%. Electric power started early in the entire industrial Internet field, so more security capabilities were implemented. The remaining industries that account for more than 10% of the total are rail transit (16%), gas/heat/water supply/power grid (13%), and petroleum and petrochemical (11%). From the perspective of future development, petroleum and petrochemical will become the next area for security manufacturers to compete for.

Case 1: A hydropower station industrial control safety protection project case (this case is provided by Tianrongxin)

scenario introduction

As the first large water conservancy hub in China, a hydropower station has become increasingly informatized and has put forward higher tests on the stability, safety and usability of the power system. In order to improve the network security protection capabilities of the hydropower station control system, we will take the actual application needs of hydropower stations as the starting point and combine relevant standards in the power industry to design a hydropower station industrial control safety protection plan from the aspects of industrial control terminal security, industrial control network security, operation and maintenance management security, and obtain practical applications to help hydropower stations establish comprehensive and multi-technical protection methods.

Security risks

• Production control area system is old and has many security vulnerabilities. It is easy to be exploited by attackers.
• Operation station application and mobile media lack control, and the source of the application cannot be identified. Malicious programs may be introduced. The business scheduling and operation behavior are not standardized. There may be illegal operations or misoperation between the production control areas of
• . Implement strict access control, there may be cross-domain access

customer needs

By conducting on-site communication and investigation on the business operation and daily management of hydropower station control zones I and II, the following requirements are clarified:

• Technicians operate in a standardized manner, it is difficult to manage
• It is difficult to establish an effective audit monitoring mechanism for important communications
• industrial control system has many vulnerabilities, making it difficult to form collective identification and management measures
• conventional security detection methods cannot cope with new industrial security threat
• lack of threat situation analysis based on the whole network
• network equipment is numerous and distant, and regular maintenance is more difficult

solution

(Picture source: Tianrongxin)

In order to better solve the current security problems faced by hydropower stations, it is first necessary to sort out the network structure and asset information of hydropower stations: with the construction principle of "safety partitioning, network-specific, horizontal isolation, and vertical authentication", the business system of the production control area (I area) is refined, the security protection and audit of data network boundaries, important assets or systems is strengthened, vulnerability threat identification and discovery capabilities are enhanced, and security information summary and display based on the entire factory, as well as threat situation awareness and analysis of the entire network.

combines the business characteristics and network structure of hydropower stations, and security experts have proposed an overall safety construction framework. Based on the security protection system and the security operation and maintenance perception system, we have built security protection, security detection, security audit , security operation and maintenance, threat identification, and security scenario analysis capabilities in the production control area of ​​hydropower stations, forming a vertical defense architecture based on industrial control systems.

• security protection system

security protection system includes security protection equipment, detection equipment, audit equipment, terminal management, vulnerability identification, etc. in the network, and the protection scope covers the production control area; a security protection center is established in the production monitoring area as data exploration, and the security data, abnormal data, etc. based on each node are sent to the centralized management platform for analysis, and the analysis results are performed.

• Security Operation and Maintenance Perception System

Security Operation and Maintenance Perception System As the "brain" of the safety protection area of ​​hydropower station production control, it assumes the role of security information analysis, uses big data means to conduct security modeling based on the user's security baseline, and performs streaming analysis through the combination of models to analyze security threats and host and application vulnerabilities in the network. Then, based on the analysis results, the strategies are issued to security protection equipment and security audit equipment to form a vertical security protection system based on user behavior.

domain isolation

production control area and non-control area deploy Tianrongxin industrial control firewall to realize inter-domain isolation control. Tianrongxin Industrial Control Firewall is based on the whitelisted industrial instruction-level "four-dimensional integrated" deep protection technology, which can deeply analyze and filter the "integrity" of the industrial control protocol, " function code ", "address range" and " process parameter range", and can deeply analyze the S7, Modbus, EIP, and IEC104 protocols in the hydropower station production control area; at the same time, based on the real-time characteristics of the hydropower station business, the business continuity guarantee technology of the industrial control system can be used to block abnormal instructions, alarm suspicious operations, and isolate threat data without affecting the continuity of the industrial control business, and ensure the safe upload of power production data.

"Four-dimensional Integrated" deep protection technology, based on the traditional firewall five-tuple security detection, performs four-fold deep security detection of industrial control protocols and data on the application layer. Taking Modbus protocol as an example:

• first step to verify the integrity of the protocol.
• Step 2 analyzes the function code in combination with industrial control business to check whether the protocol function code is legal and compliant.
• Step 3 check whether the data read address range is within the allowable range of the service, and at the same time check the read and write permissions of the source operator.
• The fourth step analyzes the process parameters, such as whether the speed, pressure, temperature, etc. meet the normal business scope of the target equipment.

(Tianrongxin Industrial Control Firewall Protocol Analysis Model)

Through the four-layer security detection of industrial control protocols and data, it can effectively ensure the security of industrial control protocols and data, thereby ensuring the safe and stable operation of industrial control networks and industrial control equipment.

service-based behavior modeling analysis

-day Rongxin Industrial Control Security Monitoring System deployment and application combined with the characteristics of hydropower station business, adopting industrial control business rules model, which can effectively monitor the abnormal behaviors of the business system such as attack behavior, illegal operations, misoperation, illegal communication, etc., and conduct in-depth analysis, analysis, recording, statistics, and reporting of the data. Through the correlation analysis results, the corresponding defense strategy and event traceability message source code are given, strengthen internal and external network behavior monitoring, so that it is easy to quickly understand the basic network situation while knowing the network alarm distribution, and easily grasp the network operation status. Bypass deployment is adopted to have a "zero" impact on the business production process; it has complete log storage, statistics, auditing and backup functions, which facilitates screening and backtracking for security events, effectively ensuring the reliability of log data.

whitelist-based protection

days Rongxin Industrial Control Host Guard is deployed on industrial control host computers and servers. It can prevent the operation of malicious programs, control the abuse of USB mobile storage media , manage illegal outreach, and provide integrity protection for trusted programs. It has complete terminal security risk monitoring and analysis capabilities; it also supports the creation and addition of whitelists, and can automatically generate application and script whitelist libraries through automatic scanning, custom addition, software tracking, etc. At the same time, the whitelist in the library can be viewed according to the file table and HASH table, and can configure whitelist protection policies to prohibit and audit processes outside the whitelist and mirror startup and loading behavior; meet the terminal security management requirements in the industrial control network, and achieve comprehensive security protection for industrial control hosts.

(Tianrongxin Industrial Control Host Guard Functional Architecture)

Industrial Vulnerability Identification and Discovery

Tianrongxin Vulnerability Scan and Management System can conduct targeted scanning of various types of systems or devices such as SCADA, configuration software, HMI, PLCh, DCS, application systems, etc., and use the combination of intelligent traversal rule base and multiple scanning options to deeply detect vulnerabilities and weaknesses in the system and accurately locate their vulnerabilities and potential threats. According to the scan results, the system can provide test case to assist in verifying the accuracy of the vulnerability, and at the same time provide rectification methods and suggestions to help technicians fix the vulnerability and comprehensively improve overall security.

At the same time, the system cabinet can generate online or offline reports by scanning results, or generate reports based on different user roles, and conduct detailed and comprehensive analysis of the scan results, and display them in various forms such as pictures, tables, and text descriptions. It supports exporting in HTML, PDF, Word, Excel, Xml, etc., to facilitate the summary and analysis of on-site assets and threats.

(Tianrongxin Industrial Control Vulnerability Scan System Functional Architecture)

External Intrusion Detection

Tianrongxin Industrial Control Intrusion Detection and Audit System has built-in professional industrial control intrusion rule database. It can formulate a whitelist strategy based on business functional needs to meet the protection needs of key nodes of hydropower stations. It adopts two methods: attack rule detection + business whitelist to match the data packets captured on the industrial control network, and promptly discover external attack threats from the production network, provide customers with intuitive and implemented security protection suggestions, and ensure the safe operation of the production network. It realizes in-depth analysis of the Modbus, S7, IEC104 and EIP protocols of hydropower stations. It can formulate security policies that meet application scenarios based on the security needs of the business system. It can record and retain messages for security incident details, provide a basic basis for security incident investigation, and truly achieve pre-warning, in-process monitoring and post-tracement.

(Tianrongxin Industrial Control Intrusion Detection and Audit System Architecture Diagram)

Customer Value

By deploying Tianrongxin Industrial Control Security Products in the customer's environment, the final implementation is:

• Terminal Control: Install Tianrongxin Industrial Control Host Guard on important servers and operating stations to realize security control of terminal hosts, avoid malicious manipulation of applications by personnel, and reduce the impact of malicious code and virus Trojans on production control.
• security isolation: Deploy industrial-grade firewalls in control and non-control areas to achieve regional boundary security isolation, filter illegal misoperations and malicious attacks in the network in real time, block the spread of worms and virus domains, and improve the protection capabilities of the control area.
• security audit and intrusion detection capabilities: Deploy industrial control security monitoring and intrusion protection systems in key switch stations, dispatching data network interfaces, and non-controlled areas (zone II), increase the protection capabilities of important assets, and improve the intrusion detection and security audit capabilities of external threat attacks.
• vulnerability identification and repair capability: By deploying an industrial control vulnerability scanning system in a non-control area of ​​the control area, various forms of systems can be detected in multiple dimensions, quickly locate vulnerability threats, and provide complete repair guidance.

  The first step in implementing industrial Internet security is to ensure protection capabilities in the environment, followed by testing/audit capabilities. Spanish Consulting The "Industrial Internet Security Capability Guide" released this time is the industrial control protection capability part in the report, as well as the industrial control detection/auditation capability part.

  Industrial Internet Security Capability Guide - Industrial Control Protection Capability

  In the field of security, one of the most important tasks is to deal with threats, which requires protection capabilities. In this report, the scope of industrial control protection capabilities is as follows:

  In the industrial Internet environment, it can conduct technologies, products or solutions that involve interference or disposal of threats and abnormal behaviors found in OT-related scenarios, including detection, blocking, intercepting requests, and prohibiting processes.

  The protection capability in the industrial Internet environment plays an important role in the security of the entire industrial Internet: the first thing that needs to be guaranteed in the industrial Internet scenario is production sustainability - that is, threats cannot produce production accidents, and at the same time, the handling of threats should not interfere with production excessively. Especially for enterprises with very limited budgets, industrial control protection products will be the most preferred area of ​​investment - only by ensuring production stability first, then having more effort to discover potential risks in the environment and abnormal behaviors that have occurred in the past.

  The industrial control protection capability in this report belongs to the industrial control system security part of the digital security capability map, in the industry environment, and industrial Internet security. Since the safety of industrial control system covers a lot of products and solutions, this report is divided into industrial control protection capabilities and industrial Internet security detection/audit capabilities.

  Key discovery

  • 's main product forms of industrial control protection capabilities are three: industrial control firewall, industrial control network gate, and industrial control terminal security protection/host guard. However, depending on the situation where different manufacturers respond to different needs, the product form will also undergo some changes.
  • industrial control protection capabilities must first be "operable without interference". The key capabilities lie in "in-depth protocol analysis" and "whitelist" technologies. However, it should be noted that "in-depth protocol analysis" may represent different meanings for different manufacturers. When purchasing related products, companies need to clarify the specific content of the manufacturer being able to analyze the agreement.
  • From a market perspective, although the overall revenue of industrial control protection products is still on the rise, its revenue share in the entire industrial Internet security will gradually decline.

  industrial control protection capability dot map

  

  There are 23 manufacturers participating in industrial control protection capabilities this time, including: Andi Technology, Anheng Information, Anmeng Information, Bozhi Security, Changyang Technology , Cathay Network Information, Huajing Security, Huierte, Jiesi Security, Lisichen Anke, Liufang Cloud, Luo'an Technology, Green League Technology , Mulian Technology, Qi'an Technology, Qimingxingchen , Rong'an Network, Shenxinda, Shengborun , Tiandi Hexing, Tianrongxin , Vinut , Insec.

  Industrial control protection capabilities Main product forms

  In this survey, the main product forms of industrial control protection capabilities are the following three: industrial control firewall, industrial control network gate, industrial control terminal security protection/host guard.

  Industrial Control Firewall

  Industrial Control Firewall Department plays the role of boundary separation in the industrial control network, ensuring that one partition will not be attacked from another partition. The industrial control firewall controls the command interaction between different networks. Especially when the upper computer is attacked and issues abnormal instructions to industrial production machines, the industrial control firewall needs to be able to identify and take corresponding measures including alarms. Therefore, the industrial control firewall is the primary line of defense in the current industrial Internet scenario.

  Industrial control firewalls have the value of traditional firewalls in industrial Internet security because they need to parse the characteristics of industrial unique protocols.

  Industrial Control Network Gate

  Industrial Control Network Gate plays a role in data ferrying in the industrial Internet - especially when safely transmitting data in the OT environment to a relatively open IT environment.

  A major change in the industrial Internet compared to traditional industrial production is that in order to better improve production efficiency and grasp the production environment state, data needs to be transmitted to the IT environment - such as the industrial Internet platform. This will increase the attack surface for industrial data. The most important task of

  industrial control network gate is to ensure that industrial data is only transmitted to trusted and authorized recipients, so as not to cause industrial data information leakage.

  Industrial Control Terminal Security Protection/Host Guard

  Industrial Control Terminal Security Protection is also called "Host Guard" by many manufacturers. It is a security capability to protect related hosts in industrial Internet scenarios. Industrial control terminal security protection/host guard is the last line of defense in the industrial Internet production environment due to its location.

  Industrial Control Terminal Security Protection/Host Guards mainly adopt the protection method is a whitelist mechanism, which only allows normal and recognized systems in the industrial Internet environment to run, and prohibits the operation of abnormal programs.

  Other product capabilities

  0 The above three are the main product forms related to OT scenarios in the current industrial Internet security. On the other hand, in actual research, it was found that each manufacturer will have some different product forms according to its own capabilities and the different needs of its customers: for example, some security manufacturers will provide industrial control IPS products based on customer environment and needs; some manufacturers will also use external equipment protection capabilities such as USB management as separate products during the sales process, rather than part of industrial control terminal security protection/host guard products; some manufacturers will even provide a complete set of industrial control external equipment security management solutions for external equipment, including additional external equipment management and monitoring equipment.

  Therefore, when purchasing industrial control protection products, customers need to confirm the specific product capabilities with the manufacturer based on their own security needs to ensure that the purchased products can fully cover their protective surface.

  At the same time, in this survey, it was found that one of the directions of security capabilities in future industrial production scenarios is the combination of network equipment and security equipment. During this survey, it was found that some manufacturers have begun to integrate their security capabilities with network equipment (such as routers) in industrial production environments, becoming "industrial network equipment with security capabilities."

  industrial control protection capabilities key points

  For industrial control protection capabilities products, the following key capabilities need to be considered:

  industrial environments are available

  In industrial scenarios, equipment is first required to be available. Equipment availability does not only refer to the software level, but can theoretically realize the requirements in the industrial environment. The most critical premise is that the hardware itself can be available in the industrial production environment.

  In industrial production environments, there will be many extreme environments, such as high temperature, low temperature, dust, etc., which will have a great impact on electronic equipment. For industrial manufacturers with strict production environments, when choosing industrial control protection products, they must consider whether the hardware protection of the equipment can resist the harsh production environment. If the device itself cannot operate normally due to lack of hardware protection, then no matter how strong the information protection capabilities are, it cannot truly protect the industrial Internet.

  production has no impact

  industrial control protection capability is an area where the most important thing is to seek a balance between security and business in the entire industrial Internet security. Judging from the functions of industrial control protection capabilities, it is necessary to be able to intercept requests, block suspicious sources, and prohibit certain applications from running. However, these behaviors may lead to interruption or even termination of production.

  Therefore, it is particularly important whether industrial Internet security products can ensure safety without affecting production. Even in the industrial Internet scenario, for the sustainability of production, some small threats need to be allowed, but for threats that may cause accidents, it is necessary to cut it off as soon as possible. At the same time, the operation of industrial control protection products itself should not have adverse effects on the entire production environment.

  protocol parsing capability

  For industrial control protection capabilities, especially industrial control firewalls, protocol parsing capabilities are particularly critical.The in-depth protocol analysis capability not only identifies industrial protocols, but also requires the ability to analyze the specific contents of industrial protocols during information transmission. The parsing capability of the

  protocol can be viewed from two aspects. One is " deep protocol parsing capability ". However, different security vendors do not have exactly the same definition of "in-depth protocol analysis". The contents contained in deep protocol analysis can include the identification of protocol instruction code, data address, and data values. When selecting industrial control firewalls, it is necessary to clarify the specific analysis content of the so-called "in-depth protocol analysis" of security manufacturers. Abnormal instruction communication can be found at the protocol instruction level, but the data value level can identify abnormal values ​​in normal instructions - to avoid accidents caused by improper parameters. Another notable capability of

  protocol parsing is " custom protocol parsing capability ". In the industrial Internet environment, some private protocols do not appear as mainstream protocols, so they do not exist in the original protocol capabilities of security manufacturers. In this case, industrial control protection products need to have the ability to learn unknown protocols to achieve the ability to resolve unknown protocols.

  elastic whitelist

  whitelist is the main protection method for industrial control terminal security protection/host guard. By allowing only the licensed program to run, the purpose of ensuring the safety of the industrial control host is achieved.

  However, whitelists also need to be learned based on the business environment of the enterprise, so as to develop a whitelist that meets environmental needs. From a development perspective, the industrial Internet will more flexibly allocate productivity based on the analysis of industrial data and the business needs of enterprises. Therefore, for some companies with faster digital transformation of , the industrial production environment itself will also change more frequently than before. This requires the whitelist to have the same flexibility. The elasticity of the whitelist of

  can be viewed from two aspects. On the one hand, it is the learning speed of the whitelist, whether it can quickly learn and establish an accurate whitelist of industrial and agricultural Internet environments; on the other hand, it is whether the deployment efficiency of the whitelist is efficient. Although in terms of functions, one-click issuance can be achieved through the industrial Internet security management platform, in specific practical environments, each terminal is often updated one by one. At this time, the deployment rate of the whitelist determines the speed of production recovery.

  Some manufacturers will use some blacklist or graylist mechanisms to increase the flexibility of whitelists. However, this type of mechanism also sacrifices a certain degree of security to pursue efficiency - this does not mean that this type of mechanism will not be safe, but relatively purely whitelisting mechanisms, security guarantees will be relatively reduced. In this process, enterprises also need to balance their needs: whether to pursue pure security and choose a complete whitelisting mechanism, or to reduce security a little to ensure efficiency during business conversion.

  known threat protection capabilities

  Although hostile forces are very likely to launch attacks on our country's critical infrastructure, this type of APT attack is still a minority. Industrial enterprises face more of daily known attacks or virus infections caused by illegal operations of personnel (such as illegal use of mobile storage devices). This type of threat is often known virus attacks, or exploits known vulnerabilities, so antivirus capabilities can withstand most of these attacks.

  's protection against known threats depends on the security vendors' own vulnerability research capabilities in industrial systems and virus database update capabilities. This can be reflected in the number of industrial Internet-related vulnerabilities submitted by the manufacturer and the capabilities of the security research team. On the other hand, manufacturers with strong attack feature library capabilities can detect attack behavior more accurately and quickly through known attack behavior patterns.

  Industrial Control Protection Capability Market Situation

  • Industrial Control System Safety (the "Industrial Control Protection Capability" and "Industrial Control Inspection/Authment" sections in this report) are located in the development market maturity defined by Digital Consulting, concept market, emerging market, development market and mature market.

  

  • According to the direction of this survey, my country's industrial control protection capacity revenue in 2019 was approximately RMB 630 million, and the overall revenue in 2020 was approximately RMB 1.03 billion. It is estimated that the revenue in 2021 will be RMB 1.41 billion, and it is expected to reach RMB 1.75 billion in 2022. As the key to the security of the entire industrial Internet, industrial control protection products account for the highest proportion of the total industrial Internet security. However, as customers' protection capabilities become more mature and the number of industrial Internet security products increases, investment will gradually shift to industrial Internet security management platform capabilities. The overall revenue share of industrial control protection products will gradually decline.
  • industrial control protection products are currently mainly delivered by a single standardized product, accounting for 72%. Customized products and operations account for 17%; as a single function delivery, subscription model and other models account for 11%.
  • From the perspective of sales methods, there is not much difference between direct sales by manufacturers and sales through channels. Direct sales (46%) account for a slightly higher proportion than channels (44%).
  • At present, the main industry of industrial control protection capabilities is electricity, accounting for 31%. Electric power started early in the entire industrial Internet field, so more security capabilities were implemented. The remaining industries that account for more than 10% of the total are rail transit (16%), gas/heat/water supply/power grid (13%), and petroleum and petrochemical (11%). From the perspective of future development, petroleum and petrochemical will become the next area for security manufacturers to compete for.

  Case 1: A hydropower station industrial control safety protection project case (this case is provided by Tianrongxin)

  scenario introduction

  As the first large water conservancy hub in China, a hydropower station has become increasingly informatized and has put forward higher tests on the stability, safety and usability of the power system. In order to improve the network security protection capabilities of the hydropower station control system, we will take the actual application needs of hydropower stations as the starting point and combine relevant standards in the power industry to design a hydropower station industrial control safety protection plan from the aspects of industrial control terminal security, industrial control network security, operation and maintenance management security, and obtain practical applications to help hydropower stations establish comprehensive and multi-technical protection methods.

  Security risks

  • Production control area system is old and has many security vulnerabilities. It is easy to be exploited by attackers.
  • Operation station application and mobile media lack control, and the source of the application cannot be identified. Malicious programs may be introduced. The business scheduling and operation behavior are not standardized. There may be illegal operations or misoperation between the production control areas of
  • . Implement strict access control, there may be cross-domain access

  customer needs

  By conducting on-site communication and investigation on the business operation and daily management of hydropower station control zones I and II, the following requirements are clarified:

  • Technicians operate in a standardized manner, it is difficult to manage
  • It is difficult to establish an effective audit monitoring mechanism for important communications
  • industrial control system has many vulnerabilities, making it difficult to form collective identification and management measures
  • conventional security detection methods cannot cope with new industrial security threat
  • lack of threat situation analysis based on the whole network
  • network equipment is numerous and distant, and regular maintenance is more difficult

  solution

  

  html l0

  (Picture source: Tianrongxin)

  In order to better solve the current security problems faced by hydropower stations, it is first necessary to sort out the network structure and asset information of hydropower stations: with the construction principle of "safety partitioning, network-specific, horizontal isolation, and vertical authentication", the business system of the production control area (I area) is refined, the security protection and audit of data network boundaries, important assets or systems is strengthened, vulnerability threat identification and discovery capabilities are enhanced, and security information summary and display based on the entire factory, as well as threat situation awareness and analysis of the entire network.

  combines the business characteristics and network structure of hydropower stations, and security experts have proposed an overall safety construction framework. Based on the security protection system and the security operation and maintenance perception system, we have built security protection, security detection, security audit , security operation and maintenance, threat identification, and security scenario analysis capabilities in the production control area of ​​hydropower stations, forming a vertical defense architecture based on industrial control systems.

  • security protection system

  security protection system includes security protection equipment, detection equipment, audit equipment, terminal management, vulnerability identification, etc. in the network, and the protection scope covers the production control area; a security protection center is established in the production monitoring area as data exploration, and the security data, abnormal data, etc. based on each node are sent to the centralized management platform for analysis, and the analysis results are performed.

  • Security Operation and Maintenance Perception System

  Security Operation and Maintenance Perception System As the "brain" of the safety protection area of ​​hydropower station production control, it assumes the role of security information analysis, uses big data means to conduct security modeling based on the user's security baseline, and performs streaming analysis through the combination of models to analyze security threats and host and application vulnerabilities in the network. Then, based on the analysis results, the strategies are issued to security protection equipment and security audit equipment to form a vertical security protection system based on user behavior.

  domain isolation

  production control area and non-control area deploy Tianrongxin industrial control firewall to realize inter-domain isolation control. Tianrongxin Industrial Control Firewall is based on the whitelisted industrial instruction-level "four-dimensional integrated" deep protection technology, which can deeply analyze and filter the "integrity" of the industrial control protocol, " function code ", "address range" and " process parameter range", and can deeply analyze the S7, Modbus, EIP, and IEC104 protocols in the hydropower station production control area; at the same time, based on the real-time characteristics of the hydropower station business, the business continuity guarantee technology of the industrial control system can be used to block abnormal instructions, alarm suspicious operations, and isolate threat data without affecting the continuity of the industrial control business, and ensure the safe upload of power production data.

  "Four-dimensional Integrated" deep protection technology, based on the traditional firewall five-tuple security detection, performs four-fold deep security detection of industrial control protocols and data on the application layer. Taking Modbus protocol as an example:

  • first step to verify the integrity of the protocol.
  • Step 2 analyzes the function code in combination with industrial control business to check whether the protocol function code is legal and compliant.
  • Step 3 check whether the data read address range is within the allowable range of the service, and at the same time check the read and write permissions of the source operator.
  • The fourth step analyzes the process parameters, such as whether the speed, pressure, temperature, etc. meet the normal business scope of the target equipment.

  

  (Tianrongxin Industrial Control Firewall Protocol Analysis Model)

  Through the four-layer security detection of industrial control protocols and data, it can effectively ensure the security of industrial control protocols and data, thereby ensuring the safe and stable operation of industrial control networks and industrial control equipment.

  service-based behavior modeling analysis

  -day Rongxin Industrial Control Security Monitoring System deployment and application combined with the characteristics of hydropower station business, adopting industrial control business rules model, which can effectively monitor the abnormal behaviors of the business system such as attack behavior, illegal operations, misoperation, illegal communication, etc., and conduct in-depth analysis, analysis, recording, statistics, and reporting of the data. Through the correlation analysis results, the corresponding defense strategy and event traceability message source code are given, strengthen internal and external network behavior monitoring, so that it is easy to quickly understand the basic network situation while knowing the network alarm distribution, and easily grasp the network operation status. Bypass deployment is adopted to have a "zero" impact on the business production process; it has complete log storage, statistics, auditing and backup functions, which facilitates screening and backtracking for security events, effectively ensuring the reliability of log data.

  whitelist-based protection

  days Rongxin Industrial Control Host Guard is deployed on industrial control host computers and servers. It can prevent the operation of malicious programs, control the abuse of USB mobile storage media , manage illegal outreach, and provide integrity protection for trusted programs. It has complete terminal security risk monitoring and analysis capabilities; it also supports the creation and addition of whitelists, and can automatically generate application and script whitelist libraries through automatic scanning, custom addition, software tracking, etc. At the same time, the whitelist in the library can be viewed according to the file table and HASH table, and can configure whitelist protection policies to prohibit and audit processes outside the whitelist and mirror startup and loading behavior; meet the terminal security management requirements in the industrial control network, and achieve comprehensive security protection for industrial control hosts.

  

  (Tianrongxin Industrial Control Host Guard Functional Architecture)

  Industrial Vulnerability Identification and Discovery

  Tianrongxin Vulnerability Scan and Management System can conduct targeted scanning of various types of systems or devices such as SCADA, configuration software, HMI, PLCh, DCS, application systems, etc., and use the combination of intelligent traversal rule base and multiple scanning options to deeply detect vulnerabilities and weaknesses in the system and accurately locate their vulnerabilities and potential threats. According to the scan results, the system can provide test case to assist in verifying the accuracy of the vulnerability, and at the same time provide rectification methods and suggestions to help technicians fix the vulnerability and comprehensively improve overall security.

  At the same time, the system cabinet can generate online or offline reports by scanning results, or generate reports based on different user roles, and conduct detailed and comprehensive analysis of the scan results, and display them in various forms such as pictures, tables, and text descriptions. It supports exporting in HTML, PDF, Word, Excel, Xml, etc., to facilitate the summary and analysis of on-site assets and threats.

  

  (Tianrongxin Industrial Control Vulnerability Scan System Functional Architecture)

  External Intrusion Detection

  Tianrongxin Industrial Control Intrusion Detection and Audit System has built-in professional industrial control intrusion rule database. It can formulate a whitelist strategy based on business functional needs to meet the protection needs of key nodes of hydropower stations. It adopts two methods: attack rule detection + business whitelist to match the data packets captured on the industrial control network, and promptly discover external attack threats from the production network, provide customers with intuitive and implemented security protection suggestions, and ensure the safe operation of the production network. It realizes in-depth analysis of the Modbus, S7, IEC104 and EIP protocols of hydropower stations. It can formulate security policies that meet application scenarios based on the security needs of the business system. It can record and retain messages for security incident details, provide a basic basis for security incident investigation, and truly achieve pre-warning, in-process monitoring and post-tracement.

  

  (Tianrongxin Industrial Control Intrusion Detection and Audit System Architecture Diagram)

  Customer Value

  By deploying Tianrongxin Industrial Control Security Products in the customer's environment, the final implementation is:

  • Terminal Control: Install Tianrongxin Industrial Control Host Guard on important servers and operating stations to realize security control of terminal hosts, avoid malicious manipulation of applications by personnel, and reduce the impact of malicious code and virus Trojans on production control.
  • security isolation: Deploy industrial-grade firewalls in control and non-control areas to achieve regional boundary security isolation, filter illegal misoperations and malicious attacks in the network in real time, block the spread of worms and virus domains, and improve the protection capabilities of the control area.
  • security audit and intrusion detection capabilities: Deploy industrial control security monitoring and intrusion protection systems in key switch stations, dispatching data network interfaces, and non-controlled areas (zone II), increase the protection capabilities of important assets, and improve the intrusion detection and security audit capabilities of external threat attacks.
  • vulnerability identification and repair capability: By deploying an industrial control vulnerability scanning system in a non-control area of ​​the control area, various forms of systems can be detected in multiple dimensions, quickly locate vulnerability threats, and provide complete repair guidance.

  Customer feedback

  simplifies operation and maintenance management work. When facing a large factory area, centralized operation and maintenance management can be realized to facilitate the detection of industrial control threats on a daily basis. At the same time, it can respond quickly to threat incidents.

  terminal protection capability is upgraded, and the industrial control host guard can set an effective whitelist program to block peripherals from the system level, effectively dealing with the problems of illegal use of peripherals and irregular operation.

  visual operation and maintenance operations, which can intuitively display front-line operation behaviors, making it convenient for security managers to analyze operation behaviors.

  regulates the behavior between production areas. Between different production areas, the industrial control firewall can control communication behavior in a fine-grained manner and eliminate cross-regional operations.

  vulnerability investigation and location quickly. Faced with tens of thousands of equipment in the factory, it can regularly check vulnerability information, and at the same time give repair opinions to reduce the vulnerability of industrial control equipment in the factory.

  Case 2: A certain oil and gas pipeline production control center network security protection case (this case is provided by Tiandi Hexing )

  involves fields: industrial Internet protection capability, industrial Internet detection/auditation capability

  Scenario introduction

  In recent years, the emergence of network security incidents in the energy industry have shown that the oil and gas pipeline SCADA system has become the target of attack by domestic and foreign hackers and faces an increasingly severe threat.

  The application of new technologies such as the Internet of Things, big data, and cloud platforms has formed the interconnection of oil and gas pipeline production networks, and risks such as intrusion and viruses from the office management network are likely to spread to the production network. At the same time, the attacker forged his identity and penetrated the production system from the external or internal network node , which not only obtained process data, but could even cause major security accidents . Once the pipeline SCADA system is attacked, it is prone to malicious manipulation or even production accidents, which directly affects the normal production and operation of pipeline transportation, leads to fires, explosions, and poisoning incidents, causing major economic losses, casualties and environmental pollution, and directly threatens national energy security and social stability. Therefore, protecting the safety of the SCADA system in oil and gas pipelines has important practical significance for my country's energy security.

  Customer requirements

  This oil and gas pipeline customer has the following industrial Internet security requirements

  • secure communication network security requirements: in the communication process, cryptographic technology is used to ensure the confidentiality of data during the communication process, and in the communication process, verification technology is used to ensure the integrity of data, and trustworthy verification is achieved by applying the industrial control firewall to carry a trusted module.
  • secure area boundary security requirements: monitor various intrusion risks, network virus , illegal access and other behaviors in the network, and audit and block them to ensure the availability and security of the production network.
  • secure computing environment security requirements: implement regular inspection-based security scans on each system engineer station, operator station, historical station, interface station, server, etc., carry out targeted security reinforcement, limit the programs that can be executed in a whitelist manner, comprehensively improve the attack resistance of the host system, and protect the widely distributed station control system host from invading the superior system as a springboard.
  • Security Management Center Security Requirements: Establish security education and training, security confidentiality, and emergency response mechanisms, make security management a system, normalize security management, and combine management with technical defense to form a comprehensive network security protection system for enterprises.

  solution

  solution design

  This solution targets the actual needs of the SCADA system in oil and gas pipelines. By designing and building a stable, efficient and reliable industrial control safety monitoring and protection system, it concentrates on the overall industrial control safety situation of the SCADA system in oil and gas pipelines, and improves the overall industrial control safety supervision level and defense capabilities. Designed in accordance with the characteristics of the SCADA system, and with the national-level protection "one center, triple protection" as the overall protection idea, a technical system for network security protection of the SCADA system of oil and gas pipelines is built, and the security management system is improved to form a comprehensive security protection system of "technology + management" to meet the actual security protection needs and meet the three-level construction standards.The

  solution starts from reality, takes the oil and gas pipeline SCADA system as the level protection object, takes the control center system as the main body, and combines the characteristics of wide distribution of edge applications such as station control systems and field equipment, and builds a comprehensive security protection system from several dimensions such as secure communication network, secure area boundaries, secure computing environment, security management center and security management requirements:

  • secure communication network: sorts out the access logic of the oil and gas pipeline SCADA system, optimizes the network structure, and reasonably divides the network security domain according to the attributes and access logic of network assets. Deploy security isolation and access control measures at the boundary of the oil and gas pipeline industrial control system network to achieve necessary border security protection. At the same time, link encryption measures should be added as appropriate according to the characteristics of business networking applications to ensure the data security of link communication.
  • Security area boundary: designs and deploys security isolation and access control measures on important security domain boundaries to provide necessary security protection for important security domains. In the oil and gas pipeline industrial control system network, the focus is on safe isolation and access control of the security areas where the first station, intermediate station and last station are located to ensure the safety of the oil and gas pipeline industrial control system.
  • Security computing environment: designs and installs necessary security control measures for host systems such as servers, operator stations, engineer stations, etc. on the entire network, to realize necessary security control of the host system and ensure the safe operation of the host system. Host security control measures include host process control, host USB port external management, etc., to realize host antivirus, anti-third-party software unauthorized installation and use, anti-USB device illegal connection and data copying, and improve the necessary security prevention and control of the human-computer interaction interface and the security of the host system. At the same time, with the help of the host system vulnerability scanning tool deployed in the security management domain, the security management of weak passwords and vulnerabilities of the host system is realized, and the host system's own attack resistance is improved through host reinforcement measures.
  • Security Management Center: Create a new security management domain in the oil and gas pipeline industrial control network, deploy centralized security management methods, and realize centralized authentication, permission management and operational behavior audit of users across the network. At the same time, comprehensive log audit and security management technical means are deployed, centralized management, analysis, visualization and linkage treatment mechanisms for security risks across the entire network are established, security threat scanning and management tools are deployed, centralized management and treatment of risks across the entire network are realized, and risk management and response capabilities are ensured quickly.
  • Security Management System: is based on the existing safety management organizational structure and management measures of oil and gas pipeline enterprises. Our professional safety service personnel sort out the content of the safety management system for users in the form of safety consulting services in the form of relevant standards and specifications, help users improve and improve the relevant content of the safety management system, and improve the systematic construction of safety management in terms of management, including daily management and emergency guarantee and other related contents, in order to build a comprehensive safety protection system to ensure the safe and stable operation of the oil and gas pipeline industrial control system.

  deployment topology diagram is as follows:

  

  (Tiandihexing Industrial Control Security Protection System deployment topology diagram)

  product deployment

  • secure communication network construction: optimize the oil and gas pipeline industrial control network, divide the security domain, and deploy the industrial control firewall on the network boundary between the oil and gas pipeline industrial control network and the office network interconnected by the office network. is used for border isolation and security protection to protect the oil and gas pipeline industrial control network from intrusion attack risks from the upper office network and the Internet.
  • security area boundary construction: divide different security domains in the oil and gas pipeline industrial control network. According to the security weight of the security domain, conducts necessary security protection measures such as isolation and access control, security audit, intrusion detection, etc. to protect the operation of individual security domains.In this plan, is mainly used to deploy industrial control security audit system, intrusion detection system in the SCADA system network of the control center, and is used to deploy industrial control firewall at the network entrance of the dispatch center.
  • Security computing environment construction: The secure computing environment in the oil and gas pipeline industrial control network refers to the host systems on the human-computer interactive interface, including various related application servers (such as SCADA history server, OPC server, etc.), operator stations, engineer stations and historical stations, etc. The host system should discover and manage its security vulnerabilities and vulnerabilities through inspection tools, verify and fix the feasibility of repairable vulnerabilities, close unwanted default accounts and services, carry out necessary security reinforcement of the host system, and improve the host system's attack resistance. This design will consider the deployment of the host security protection system technical measures to provide necessary security protection to the host system .

  designs, installs and deploys host security protection software systems for related servers, engineer stations, operator stations and other host systems in the oil and gas pipeline industrial control network to realize the necessary security control of the host system of the human-computer interactive interface. The active defense mechanism of the whitelist of

  can occupy smaller system computing resources and achieve maximum protection efficiency. It can effectively realize the host antivirus, anti-third-party software unauthorized installation and use, control the host system external interface, authentication control of USB external storage devices, anti-virus and operational behavior audit, and provide necessary security guarantees for the safe operation of the host system.

  The host security protection system used in this plan is a security protection system dedicated to the industrial control host system. The system uses innovative technical methods mainly composed of whitelists and graylists and blacklists as supplemented by them. It monitors the host's process status, network port status, and USB port status, strictly controls the host application process, external port control, USB device authentication and use management, and operates behavior management, strengthens the security management of the industrial control host, and improves the host system's attack resistance.

  Customer value

  By deploying a series of industrial Internet security products, it provides customers with the following value:

  • Advanced security protection technology improves the enterprise's industrial control security protection capabilities: This plan adopts industrial protocol in-depth analysis technology, intelligent learning technology, whitelist active defense technology and threat management lossless technology, and combines the company's own industrial vulnerability library and equipment fingerprint library. By formulating effective security strategies and security centralized analysis and control methods, it provides necessary network security guarantees for the operation of the industrial control system on the premise of ensuring stable operation.
  • Improve the organization's OT internal control system to meet compliance needs: When designing this plan, it refers to the relevant national level protection specifications and proposes solutions that meet actual needs according to the current level of informatization of industrial control systems of the enterprise, and realizes the creation of a compliant OT control system from three dimensions such as OT application control, OT general control, and OT audit.
  • industrial control safety product performance has reached the leading domestic level: including a fully cabinet integrated solution with unique patented technology, a loosely coupled security framework design with excellent equipment compatibility, and an integrated security product management mechanism. Network access supports high availability designs such as IPv6, ipsecVPN, visual monitoring, custom protocol rules, interface linkage, hot standby mechanism, bypass, and low latency, which truly achieves zero impact on industrial networks.
  • autonomously and controllable data docking for uploading information: Compared with the same type of solutions, the information collected by the added relevant equipment is more comprehensive and compliant, and can fully adapt to the common needs of stability and confidentiality of industrial control system security protection. All information security products in the plan are domestic independent products, with strong controllability, higher security linkage and security products, and can provide customized functional development, which facilitates continuous iteration and upgrading.
  • trusted computing technology: using the method of installing a PCI trusted control card on the device to achieve trusted functions.It mainly includes trustworthy verification of the bootloader, operating system and application of the device based on the trusted root; trustworthy verification of the bootloader, operating system and application of the device based on SM3 HASH; trustworthy verification of the execution resources such as system interrupts, key memory areas, etc.; trustworthy dynamic measurement of the network communication of the device, monitor abnormal communication behavior; form an audit record and send it to the security management platform; the security management platform handles the trustworthy status values ​​reported by all security devices and presents the credible status of the entire security protection system.

  Customer feedback

  This solution takes the application of the oil and gas pipeline industrial control system as the scenario, and builds a new generation of active defense system for the industrial control system of oil and gas pipeline enterprises characterized by monitoring and auditing, threat analysis, intrusion detection, and host protection, improving the overall security of the industrial control system. It will create an effective security construction model for the construction of the network security protection system of the enterprise industrial control system and improve the ability of integrated security protection in management and control.

  has improved the industrial control security defense capabilities through the active security defense construction in this plan. Based on the average annual defense against cyber attacks and the average loss of 5 million yuan caused by each attack, the project was put into operation from November 2020 to April 2021, which is reduced by about 2 million yuan in suspension. Due to the construction of this project, the operation and maintenance efficiency has been improved, and the operation and maintenance costs of the industrial control system can be reduced by about 300,000 yuan each year.

  This solution has strong promotional value and is also suitable for promotion and application in industrial control systems in other scenarios in the petroleum and petrochemical industry.

  Industrial Internet Security Capability Guide —— Industrial Control Inspection/Authment Part

  Key Discovery

  • Security priority requirements in traditional IT environments: CIA, and the security priority requirements in industrial control environments are exactly the opposite: AIC. Therefore, the primary requirement of industrial control inspection/auditation products - especially active scanning inspection products - is that they cannot have an impact on business continuity; the number of identification and analysis of mainstream industrial agreements by
  • is the main measurement standard for this type of product. In addition, soft indicators such as visualization of detection results and relevance to business should also be considered;
  • industrial control inspection/auditation products still take compliance needs as the main driving force, but as the investment of relevant base users gradually increases, the demand driving of practical advanced threat detection is gradually increasing;
  • As customers' detection capabilities become more mature and the number of industrial Internet security products increases, investment will gradually shift to the capabilities of industrial Internet security management platform. The overall revenue share of industrial Internet security testing products will gradually decline.

  Industrial control detection/audit capability dot map

  

  There are 18 manufacturers participating in industrial control protection capabilities this time, including: Anheng Information, Bozhi Security, Fengtai Technology, Cathay Network Information, Huierte, Lischen Anke, Liufang Cloud, Luo'an Technology, Green Network, Mulian Technology, Qi'an Technology, Qiming Xingchen, Rong'an Network, Shengborun, Tiandi Hexing, Tianrongxin, Vinut, and Insec.

  Industrial control inspection/audit capability Main product form

  In this series of industrial Internet security reports, inspection is one of the most important components, and "seeing" is the prerequisite for all security management and security services. After development in recent years, the main types of industrial Internet security detection products are as follows:

  • Industrial Asset Discovery and Management

  In the industrial production environment, it is safe to actively/passively discover and asset management of various assets including controllers, control systems, upper computers and other industrial control equipment, as well as network equipment, security equipment, host equipment, etc. in the office network network.

  • Industrial Compliance Inspection Toolbox (Environmental Protection Toolbox, Baseline Inspection System, etc.)

  has the main purpose of compliance inspection, built-in industrial control system level protection inspection standards, and supports portable equipment products with automated evaluation tools such as vulnerability detection, traffic analysis, and configuration verification. Generally, this type of product also supports automatic generation of information security level protection inspection reports and rectification notices.The main users are assessment agencies and on-site law enforcement inspection units (such as assessment centers at all levels, public security, national security, Internet information, confidentiality, etc. ), and group customers inspect and use subordinate units.

  • Industrial Monitoring Audit

  Audit products that conduct security monitoring and behavior analysis of network traffic in industrial production environments. The purpose of this type of product is to identify security incidents such as illegal operations, overpowering execution, external attacks, etc. and alert them in real time. At the same time, comprehensively record the network operation status and communication behaviors of various protocols in the network, generate analysis reports, and give rational suggestions, providing a basis for investigating and evidence collection of security incidents. Since the deployment is done bypass monitoring, it does not affect the production and operation of existing systems, audit products can be used in most network environments.

  • Industrial Security Assessment (including industrial missed scans and anti-virus)

  This type of product covers modules such as asset discovery, vulnerability scanning, configuration verification, Windows security reinforcement, compliance-proof association, Wifi security detection, etc., with the purpose of discovering various vulnerabilities in the industrial control environment, including various known security vulnerabilities, security configuration problems, non-compliance behavior and other risks. Provide professional and effective assessment reports and repair suggestions to user security managers before the information system is actually compromised. Therefore, this type of product generally has intuitive reporting functions. Some security companies with antivirus genes will also have built-in shelling engines, decompression engines, and antivirus engines in this type of product, combining feature code scanning, heuristic scanning and other technologies to detect various existing and unknown virus threats.

  • Industrial Control Vulnerability Mining

  This type of product is mainly used to discover unknown vulnerabilities in industrial control equipment (PLC, RTU, etc.) and industrial control systems (DCS, SCADA, etc.). With black box testing as the main technical implementation method, the output test report should be able to clearly locate problems and provide test messages for problem backtracking. For base users with higher security requirements and more budgets, this type of product can further improve the security of industrial control systems.

  • Industrial Intrusion Detection System

  As the name suggests, IDS is applied to the industrial Internet environment. It mainly detects and alarms in real-time various hacker attacks and malicious traffic such as buffer overflow, SQL injection, brute force cracking, DDoS attacks, scanning and detection, worm viruses, Trojan backdoors, spyware, spy hijacking, botnets and other hacker attacks and malicious traffic.

  Key points for implementing industrial control detection/audit capabilities

  does not affect the user's business as the basic principle

  The priority requirement for security in traditional IT environment is CIA, and the priority requirements for security in industrial control environments are exactly the opposite - AIC. In the industrial control environment, most equipment and systems require uninterrupted operation 7*24 hours a day, so the first thing to note is that it cannot affect user business when actively scanning and testing products. If asset discovery and vulnerability scans, version matching should be the main focus, and pac verification scanning cannot be used. At the same time, you must be able to flexibly configure the scanning strategy and pay attention to the product's occupation process and resources. The hardware level and operating systems of many old devices cannot withstand the impact of large traffic scanning behavior. If it is traffic detection, be sure to use bypass monitoring, and pay attention to the scope and depth of product checkpoints to avoid network congestion such as loopback and affect normal service traffic. All product deployment should be convenient, and try not to interrupt or only take up a very short interruption time.

  must be able to adapt to harsh industrial environments

  Security detection products must have the reliability and stability of IP40 or above protection, anti-electromagnetic interference, power supply redundancy, fanless heat dissipation, dual-machine hot backup, port redundancy, wide temperature and wide pressure and other industrial-grade reliability and stability. For military users, some portable testing products should also have three-proof (dust, waterproof, and shockproof) capabilities, and have their own power supply, suitable for harsh environmental applications.

  Balance between whitelist and blacklistUse

  whitelist is the basic technical implementation idea for security detection products in industrial control environment, but relying solely on the limitations of whitelist may even be exploited.For example, the "TRISIS" (TRISIS) malicious code discovered in 2018 against the industrial control system of an oil and gas plant in the Middle East uses social workers' skills to disguise as a safe instrument system to successfully enter the target network bypassing the "white environment" mechanism. In addition to using social workers, attacks directly against whitelisted devices and whitelisted software are becoming more and more frequent. Some complex attacks use hash collision attack methods to bypass the "whitelist" mechanism, posing a threat to the system. Therefore, based on the whitelist, the detection capability of characteristic data such as known viruses, known vulnerability databases, threat intelligence should be increased. Moreover, the products of suppliers currently generally have a certain degree of intelligent learning technology. They generate a whitelist library through automatic learning, and use this as a starting point to conduct security inspections on demand, so that the whitelist also has a certain degree of flexibility. In short, the balance point between white and black in should be formulated as needed based on the user's own business situation.

  main core capabilities of industrial control testing/auditation

  For the above product forms and implementation points, there are five main core capabilities of industrial Internet security products: identification, analysis, collection, knowledge base, and visualization.

• . The first main core capability to identify the "detection" capability of

  is the accurate fingerprint recognition capability of industrial control equipment. The capability measurement criteria are the number and accuracy of mainstream protocols that can be identified, such as OPC, Modbus, DNP3.0, S5, S7, Ethernet/IP, MBTP, IEC104, IEC1850, Profinet, BACnet, MMS, FOCAS, ENIP, Melsec-Q, PCWorx, ProConOs, Crimson and other well-known domestic and foreign manufacturers such as Siemens, Schneider, Rockwell, ABB, Emerson, Beckford, Omron, Delta, Holland, Mitsubishi, Honeywell, Invisibles, etc. The threshold for identification capability is relatively low. Comprehensive judgment of equipment protocols, equipment types, software and hardware versions, manufacturers, open ports, services and other information can accumulate a large number of protocol identifications. However, higher capability barriers require a special technical team to analyze the protocol architecture, communication process, message structure, parsing function code, sensitive message and other information through reverse analysis and other means. Currently, the number of protocol identification capabilities of major security companies in the industry varies from dozens. Users can consider suppliers based on their own situation.

. Parsing

is different from "identification", and the detection ability requires higher and more in-depth requirements for "parsing". It is necessary to be able to perform deep analysis of the mainstream protocols at instruction level and value range, accurately parse the function codes, value ranges, opcodes, register address ranges, etc. in the protocol, so as to detect the message format and integrity, and determine whether there are any abnormal messages - try to disguise malicious code as content of normal communication protocols to enter the internal or regional industrial control system network or region, link firewalls to prevent abnormal code attacks and other attacks that occur within the industrial control Ethernet network. Some audit products of

will also record more detailed operation data of instruction sets such as command changes, load changes, status changes, etc., and have some functions similar to business interruption alarms. From the perspective of production safety, of course, this also falls into the security category. Users can choose on demand. Due to the current situation of industrial production equipment manufacturers, the number of protocol resolution capabilities of major security companies in the industry varies from 20 to 30. Users can consider suppliers based on their own situation.

includes timed collection and real-time collection. For example, assets, environments, vulnerabilities, etc. will not change frequently. Timed collection or triggered collection (the management center issues instructions). Real-time monitoring mode is adopted for data that will change frequently such as processes, files, networks, etc., and real-time collection and reporting are carried out.

audit products must have the ability to collect and store raw data. Audits in some industries require data retention time of no less than six months. The collection method can be real-time acquisition or regular acquisition.The collection method can be to directly collect industrial data, such as connecting to the 485 serial port to collect data, or to collect data through Syslog, SNMP, SNMP Trap, ICMP, SSH, NMAP, traffic sniffing and other methods according to different goals of industrial control equipment, network equipment, host equipment, security equipment, etc.

Here we mainly consider the comprehensiveness of data collection. For example, the host device includes all user login, operation information, important operation information of various databases, middleware, and access information of peripheral devices (keyboard, mouse and all mobile storage devices); network equipment configuration changes, traffic information, network port status and other security event information; security protection equipment includes firewalls, vertical encryption authentication devices, forward isolation devices, reverse isolation devices, intrusion detection systems (IDS), operation and maintenance operation audit systems, honeypots, web application firewalls and other security devices; logs include system logs, configuration logs, traffic logs, attack logs, access logs, etc.

. Knowledge Base

builds an industrial control protocol analysis library, improves the security incident feature library, enriches the network attack knowledge base, and conducts in-depth analysis, identification, discovery, tracking and evaluation of multi-environment and multi-service traffic. (Wooden Chain)

The knowledge base here mainly refers to the asset fingerprint library, vulnerability library, virus library, intrusion detection rule library, security attack feature library, etc. required for detection products. Each company has its own standards for classification and counting, so we do not emphasize and encourage simple comparison of the number of knowledge bases of each company. However, there are two abilities to explain. First, no matter the number of knowledge bases is large or small, the inspection should also consider efficiency and accuracy. The second is whether the private protocol provides a development interface or SDK, so that users can expand and support private protocols and do customized development by themselves;

. Visualization

In the industrial control environment, many security states are not as intuitive as those in the IT environment, so more attention is needed to pay attention to visualization capabilities. For example, asset status data, protocol-based network topology view and network traffic view , statistical data with time dimensions, analysis result data, abnormal behavior alarm information, key handling suggestions, etc. After

initially detects threats and confirms them, it is better if it can have certain visual analysis capabilities. For example, it is related to the assets under threat risk with business attributes, or accesses the user's industrial production data, combining security risks with production data, and shows its potential downtime and business risks caused by production shutdowns. The purpose of visualization must not only beautify, but more importantly, reflect the value of safety.

6. Innovative attempts

This survey found that the detection capabilities of security enterprises have certain convergence, and the differences are mainly concentrated on the identification and analysis of the protocol, but some enterprises are still trying to make some innovative attempts. We list them here for user reference:

• adaptive industrial control security detection integrating the concept of zero trust;
• studies and applies advanced technologies such as SOAR and UEBA in the field of industrial security to conduct trend analysis and model key parameters of the production process in industrial protocols, and identify normal production activities and abnormal changes in key parameters;
• 's preliminary traceability and traceability capabilities: support traffic backtracking, trace attack process, support correlation analysis of attack paths, and save attack evidence;
• installs a PCI trusted control card on security devices to realize trusted functions.Real-time monitoring of key points such as operating systems, applications, key memory areas, network communications, etc., and finally the trusted verification results are formed into an audit record and sent to the security management platform; the security management platform handles the trusted status values ​​reported by all security devices and presents the credible status of the entire security protection system;
• monitors, sorts out and analyzes vulnerabilities, attacks, etc. in the network, and conducts correlation evaluations of the detected vulnerabilities and authoritative vulnerabilities library, gives quantitative evaluation (risk value), and conducts early warning and display;
• conducts correlation analysis based on multiple dimensions such as assets, events, threats, time, space, and business behavior, comprehensively, multi-dimensional, and system statistics and analysis, and displays them in visual charts;
• is based on AI algorithms and models, and does not rely on the feature library upgrade method to detect threats.

Requirements Changes: Practical Threat Detection

Among the users who need industrial Internet security detection, there are many related base users, and the threat level they face is gradually increasing. For key information infrastructure industries in many countries such as electricity, petroleum and petrochemicals, rail transit, intelligent manufacturing, steel and metallurgy and military industry, threat detection scenarios are becoming more and more practical, and the requirements for industrial Internet security detection products are also becoming more and more "capable". For example, in-depth analysis of industrial protocols, abnormal traffic monitoring after modeling based on normal communication behavior, automated analysis of security events to a certain extent, unified management and visualization of threat risks, detection and defense of advanced threats, asset-based risk identification, etc. This requires suppliers to integrate the above testing products with the industrial control honeypots, security management platforms, security services and other content in this series of reports, and then implement security operations in actual combat so as to achieve the greatest capabilities and effects.

Industrial Internet Security Inspection/Audit Capability Market Situation

• According to the direction of this survey, my country's industrial Internet Security Inspection Capability Revenue in 2019 was approximately RMB 411 million, and the overall revenue in 2020 was approximately RMB 689 million. It is estimated that the revenue in 2021 will be RMB 1.056 billion, and it is expected to reach RMB 1.42 billion in 2022. As customers' detection capabilities become more mature and the number of industrial Internet security products increases, investment will gradually shift to industrial Internet security management platform capabilities. The overall revenue share of industrial Internet security testing products will gradually decline.
• industrial Internet security detection products are currently mainly delivered by single standardized products, accounting for 57.15%. Customized products and operations account for 24.19%; as a single function delivery, subscription model and other models account for 18.66%.
• From the perspective of sales methods, there is not much difference between direct sales by manufacturers and sales through channels. Direct sales (44.81%) account for a slightly higher proportion than channels (38.91%), while OEM accounts for 16.29%.
• At present, the main industry of industrial Internet security detection capabilities is electricity, accounting for 29%. Electricity started early in the entire industrial Internet field and invested more, so more security capabilities were implemented. The remaining industries that account for more than 10% are rail transit (17%), petroleum and petrochemical (12%), as well as other industries such as tobacco, education, and military industry, which also account for 15% after summary. From the perspective of future development, petroleum and petrochemical will become the next area for security manufacturers to compete for.

Case 3: Rail Transit-Comprehensive Monitoring System Safety Protection Construction Project (This case is provided by Lischen Anke)