Network auditing method and device of industrial control system

Abstract

The invention discloses a network auditing method and device of an industrial control system, and relates to the technical field of industrial automation control. One specific embodiment of the methodcomprises the following steps: industrial firewall equipment and an industrial control monitoring terminal being used for identifying and alarming, putting the identified alarms into a filter table,receiving each alarm in the filter table by a unified security management platform, and for each alarm, obtaining a total threat value of each alarm according to a threat value list pre-stored in theunified security management platform; and determining the threat level of each alarm based on the acquired total threat value of each alarm, and determining the display of the alarm according to the determined threat level. According to the embodiment, high-risk alarm identification can be carried out on the alarm information generated by violation of the white list rule, a large number of high-risk alarms caused by incomplete white list learning data are avoided, the number of the high-risk alarms is reduced, and a user can process the high-risk alarms conveniently and preferentially.

Description

technical field [0001] The invention relates to a network audit method and device for an industrial control system, belonging to the technical field of industrial automation control, capable of accurately and efficiently generating and identifying high-risk alarms. Background technique [0002] At present, various industrial control systems are widely used in the fields of industry, energy, transportation, water conservancy and municipal administration to control the operation of production equipment. Once there is a loophole in the information security of the industrial control system, it will cause major hidden dangers to industrial production and operation and national economic security. With the development of computer and network technology, especially the deep integration of informatization and industrialization and the rapid development of the Internet of Things, more and more industrial control system products use general protocols, general hardware and general softw...

AI Technical Summary

Problems solved by technology

[0005] 1) The high-risk alarms generated by this technology will be high-risk alarms as long as they violate the whitelist rules. The imperfection of the whitelist learning data is not considered. Not all alarms that violate the whitelist are high-risk alarms.

[0006] 2) This technology does not consider the situation of on-site assets. If the device that generates the alarm is a known asset on the intranet, it may be that the whitelist learning data is missing, and this alarm cannot be counted as a high-risk asset.

[0007] 3) This technology does not consider the different operations of industrial protocols. It also generates alarms, and the risk level of read operations is lower than that of write operations.

[0010] 1) In the process of perfecting the white list of this technology, high-risk alarms are not divided according to the danger level of the alarms, and users may face a large number of alarms that cannot be processed

[0011] 2) This technology does not classify the alarms that violate the whitelist, and cannot effectively deal with high-risk alarms

Images