An industrial internet security operation and maintenance risk assessment method and system
By constructing and analyzing the risk links of the Industrial Internet, dynamically prioritizing and adjusting strategies, the problem of inaccurate risk link identification and assessment in existing technologies has been solved, achieving efficient risk management and improved system stability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING HI TECH TECH
- Filing Date
- 2025-12-08
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technologies struggle to identify and quantify various risk links in the Industrial Internet in a timely manner, leading to uneven distribution of security protection resources. High-risk events may spread rapidly, affecting critical production units and increasing the uncertainty and delay in operation and maintenance decisions.
By collecting initial information about the industrial internet operating environment, constructing risk links, screening out primary risk links, and analyzing dynamic operating data, dynamic prioritization and response triggering measures are adjusted. Combined with cross-validation of multi-level risk links and adjustment of network security strategies, a closed-loop feedback of risk assessment is achieved.
It enables accurate identification and quantitative assessment of potentially high-risk links in the industrial internet, dynamically adjusts protection strategies, improves risk handling efficiency, ensures system security and stability, and enhances scientific rigor, controllability, and reliability.
Smart Images

Figure CN121690707B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data management technology, and in particular to a method and system for assessing security operation and maintenance risks in the industrial internet. Background Technology
[0002] With the rapid development of the Industrial Internet, the deep integration of traditional industrial control systems and information and communication technologies has significantly improved the operational efficiency and intelligence level of key industries such as production, energy, transportation, and manufacturing. However, this highly interconnected environment also brings complex and ever-changing security threats and operational risks, manifesting as the superimposed effects of multiple potential risks such as external attacks, internal misoperations, equipment failures, and network anomalies. The control devices, sensors, network nodes, and data interaction links in the Industrial Internet system constitute a vast and complex risk network. An anomaly or vulnerability in any link can rapidly spread through dependencies, leading to the interruption of critical production units, loss of industrial assets, or safety accidents. Traditional static security protection methods cannot meet the needs of this highly dynamic and multi-layered risk environment. Therefore, it is urgent to establish a systematic risk assessment mechanism. Through comprehensive identification, quantitative analysis, and dynamic priority management of various risk links in the Industrial Internet, real-time monitoring, response triggering, and closed-loop feedback optimization of risks can be achieved, thereby ensuring the security, stability, and reliability of the Industrial Internet operation.
[0003] For example, CN118966788A discloses a risk assessment method and system for operation and maintenance data, belonging to the field of operation and maintenance management technology. It collects operation and maintenance datasets of target equipment, extracts and combines corresponding types of operation and maintenance data to obtain operation and maintenance data sequences, then extracts feature vectors of the data sequences for anomaly analysis, determines the abnormal operation and maintenance data and reference anomaly values when an anomaly is determined in the operation and maintenance data sequence, and finally assesses the risk level based on the reference anomaly values and conducts corresponding operation and maintenance data risk warnings to efficiently monitor potential security risks, performance bottlenecks and fault hazards of target equipment.
[0004] For example, CN114936725A discloses a large power grid risk assessment and differentiated operation and maintenance system, which includes an online monitoring module, a status evaluation module, a risk assessment module, an operation and maintenance strategy module, an auxiliary optimization module, and a data integration and analysis module. The online monitoring module connects to the online monitoring device of the substation equipment and its near real-time monitoring data through an integrated standard. The status evaluation module analyzes and evaluates various status indicators reflecting the health status of the equipment. The risk assessment module assesses the probability of equipment failure and the severity of the consequences. The operation and maintenance strategy module formulates relevant equipment operation and maintenance strategies based on changes in health or importance. The auxiliary optimization module is used to formulate the operation and maintenance plan for the following year. The data integration and analysis module includes multi-dimensional analysis of defect data, intelligent correction of defect data, and test data management.
[0005] The above-mentioned technology has at least the following technical problems:
[0006] Potential threats across various risk links are difficult to identify and quantify in a timely manner. The ambiguity of risk levels and priorities leads to uneven allocation of security protection resources. High-risk events may spread and affect critical production units in a short period of time, threatening the business continuity and control reliability of the overall system and increasing the uncertainty and delay of operation and maintenance decisions. Summary of the Invention
[0007] To address the technical problems existing in the prior art, this invention provides a method for assessing the security operation and maintenance risks of the Industrial Internet. The technical solution includes: initial information collection of the Industrial Internet operating environment; construction of various risk links within the Industrial Internet; analysis of these risk links to obtain primary risk factors for each risk link; and preliminary screening of these primary risk links.
[0008] The dynamic operation data of each primary risk link in the Industrial Internet is obtained and analyzed to identify each secondary risk link. The secondary risk links of the Industrial Internet are dynamically prioritized and the response triggering measures for each secondary risk link are adjusted.
[0009] Cross-validate the multi-level risk links of the industrial internet, adjust network security strategies, and provide feedback on the risk assessment of industrial internet security operation and maintenance.
[0010] The second aspect of the present invention also provides an industrial internet security operation and maintenance risk assessment system, including: a risk link construction and primary risk assessment module, used to collect initial information on the industrial internet operating environment, construct various risk links of the industrial internet, analyze various risk links of the industrial internet, obtain primary risk factors of various risk links of the industrial internet, and preliminarily screen various primary risk links of the industrial internet.
[0011] The Link Dynamic Assessment and Response Trigger Adjustment Module is used to acquire and analyze the dynamic operation data of each primary risk link in the Industrial Internet, obtain each secondary risk link in the Industrial Internet, dynamically prioritize each secondary risk link in the Industrial Internet, and adjust the response trigger measures for each secondary risk link in the Industrial Internet.
[0012] The verification and policy feedback closed-loop module is used to cross-verify the multi-level risk links of the industrial internet, adjust network security policies, and provide feedback on the security operation and maintenance risk assessment of the industrial internet.
[0013] The beneficial effects of the technical solutions provided in the embodiments of the present invention include at least the following:
[0014] (1) This invention proposes an industrial internet security operation and maintenance risk assessment method. First, the initial information of the industrial internet operating environment is collected and each risk link is constructed. Then, each primary risk link is further analyzed and screened. Then, the dynamic operation data of each primary risk link is obtained and the priority is sorted based on its dynamic comprehensive risk score. At the same time, the response triggering measures of the primary risk links are dynamically adjusted to achieve the pertinence and timeliness of risk handling. Finally, the actual effect of each adjustment measure is evaluated by cross-validation of multi-level risk links, and the network security strategy is finely adjusted. This method can effectively identify and quantify potential risks, dynamically adjust protection strategies, improve the handling efficiency of high-risk links, and ensure the overall system security and stability, thereby significantly enhancing the scientificity, controllability and reliability of industrial internet security operation and maintenance.
[0015] (2) By obtaining the primary risk factors of each risk link in the Industrial Internet, this invention can accurately identify and screen potential high-risk links in the Industrial Internet, realize the quantitative assessment and dynamic judgment of the risks of each link in the Industrial Internet, accurately identify key risk nodes, improve the pertinence and effectiveness of risk disposal, and provide a reliable data foundation for subsequent dynamic priority ranking, response triggering measures adjustment and network security strategy optimization, thereby significantly improving the scientific nature, controllability and overall system stability of Industrial Internet security operation and maintenance.
[0016] (3) By obtaining the second risk factor of each primary risk link of the Industrial Internet, this invention helps to dynamically prioritize each primary risk link of the Industrial Internet, enabling continuous dynamic monitoring and multi-dimensional risk assessment of the Industrial Internet links. It considers both the risk level of the links and their observability and protection reliability, so that the priority order of high-risk links can be scientifically determined during the security operation and maintenance process, thereby improving the overall protection effect of the system, reducing the probability of potential security events, and providing a reliable basis for the dynamic adjustment of subsequent response triggering measures and the optimization of network security strategies.
[0017] (4) The present invention adjusts the response triggering measures of each primary risk link in a hierarchical manner according to the dynamic priority of each secondary risk link in the industrial internet. After the adjustment is completed, the dynamic comprehensive risk score of each secondary risk link is re-acquired and sorted to determine whether further adjustment of network security strategy is needed. It can realize the priority handling and dynamic resource allocation of high-risk links, ensure more accurate and timely response to security incidents, and reduce the risk to a controllable range through continuous monitoring and feedback mechanisms, improve the overall security and protection reliability of the industrial internet, and provide quantitative basis and closed-loop management capabilities for operation and maintenance decisions. Attached Figure Description
[0018] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0019] Figure 1 This is a schematic diagram of the method provided in an embodiment of the present invention;
[0020] Figure 2 This is a flowchart of an industrial internet security operation and maintenance risk assessment method provided by an embodiment of the present invention;
[0021] Figure 3 This is a security operation and maintenance overview diagram provided for embodiments of the present invention;
[0022] Figure 4 This is a diagram of the risk link monitoring and prioritization interface provided in an embodiment of the present invention;
[0023] Figure 5 A schematic diagram of system modules provided in an embodiment of the present invention. Detailed Implementation
[0024] The technical solution of the present invention will now be described with reference to the accompanying drawings.
[0025] In embodiments of the present invention, words such as "exemplarily," "for example," etc., are used to indicate that something is an example, illustration, or description. Any embodiment or design described as "exemplary" in the present invention should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of the word "exemplary" is intended to present the concept in a concrete manner. Furthermore, in embodiments of the present invention, the meaning expressed by "and / or" can be both, or either one.
[0026] In the embodiments of this invention, the terms "image" and "picture" may sometimes be used interchangeably. It should be noted that, without emphasizing the distinction between them, they convey the same meaning. Similarly, the terms "of," "corresponding (relevant)," and "corresponding" may sometimes be used interchangeably. It should be noted that, without emphasizing the distinction between them, they convey the same meaning.
[0027] In this embodiment of the invention, sometimes a subscript such as W1 may be written in a non-subscript form such as W1. When the difference is not emphasized, the meaning they express is the same.
[0028] To make the technical problems, technical solutions and advantages of the present invention clearer, a detailed description will be given below in conjunction with the accompanying drawings and specific embodiments.
[0029] like Figure 1 As shown, this embodiment of the invention provides a method for assessing the security operation and maintenance risks of the industrial internet, including: collecting initial information on the industrial internet operating environment, constructing various risk links of the industrial internet, analyzing various risk links of the industrial internet, obtaining primary risk factors of various risk links of the industrial internet, and initially screening various primary risk links of the industrial internet.
[0030] It should be noted that the process of initial information collection and risk link construction for the industrial internet operating environment is as follows: First, static metadata is collected from asset lists, configuration management databases, network topology (switches / routing tables, VLANs, subnets), process flow diagrams, control system lists (DCS / PLC / RTUs, gateways and remote maintenance channels), and third-party access records. Simultaneously, runtime behavior data is collected through passive and active means (NetFlow / PCAP, SNMP, Syslog, traffic mirroring, device heartbeats, sensor readings, session establishment / failure rates, device performance metrics). Then, the collected entities are abstracted into nodes in a graph database (such as controllers, I / O points, transmitters, actuators, network devices, and fortresses). The system constructs a graph of risk links between nodes (including the machine and external connection points) and establishes directed or undirected edges based on actual communication, control dependencies, and process flows. During the graph construction process, edge attributes and metadata (protocol type, port, encryption / authentication method, traffic characteristics, connection time window, and most recent change record) are added, and the existence and timeliness of the links are verified using time-series logs and session tracking. Subsequently, suspicious channels and unauthorized access points are marked by associating with historical event databases, vulnerability scan outputs, and threat intelligence. The construction results are then reviewed and verified by experts from the CMDB and process security team through expert review and simulation. Finally, a queryable and traceable risk link graph file is formed for subsequent dynamic monitoring, path deduction, and handling processes.
[0031] The dynamic operation data of each primary risk link in the Industrial Internet is obtained and analyzed to identify each secondary risk link. The secondary risk links of the Industrial Internet are dynamically prioritized and the response triggering measures for each secondary risk link are adjusted.
[0032] Cross-validate the multi-level risk links of the industrial internet, adjust network security strategies, and provide feedback on the risk assessment of industrial internet security operation and maintenance.
[0033] like Figure 2 As shown, Figure 2This is a flowchart illustrating a method for assessing security operation and maintenance risks in the Industrial Internet. It identifies potentially threatening critical links by constructing risk links within the Industrial Internet and progressively introducing risk factors for quantitative screening. Next, a dynamic prioritization mechanism categorizes these risk links into different risk levels, and differentiated response measures are developed for each level. The effectiveness of the response is then measured based on changes in the ranking after handling. Specifically, the initial risk factors for each risk link in the Industrial Internet are obtained through the following process: acquiring operational transmission data for each risk link, including: link packet loss rate, maximum CPU utilization, average measurement deviation of key process sensors, and the number of abnormal remote accesses.
[0034] By comparing the packet loss rate of each risk link in the Industrial Internet with the defined packet loss rate stored in the database, the maximum CPU utilization with the defined CPU utilization stored in the database, the average measurement deviation of key process sensors with the defined measurement deviation of key process sensors stored in the database, and the number of abnormal remote accesses with the defined number of abnormal remote accesses stored in the database, and introducing weighting coefficients, we obtain the primary risk factors for each risk link in the Industrial Internet. The primary risk factors for each risk link in the Industrial Internet are used to quantitatively assess the potential threat intensity of each link in the operating environment and the potential impact on the business continuity and control reliability of the overall Industrial Internet system.
[0035] It should be noted that the specific analysis conditions for the primary risk factors in each risk link of the Industrial Internet are as follows:
[0036] ;
[0037] In the formula, FL i Db represents the primary risk factor of the i-th risk link in the Industrial Internet. 1i LC represents the packet loss rate of the i-th risky link in the Industrial Internet. 2i This represents the maximum CPU utilization of the i-th risky link in the Industrial Internet. 3i YC represents the average measurement deviation of the critical process sensors in the i-th risk link of the Industrial Internet. 4i Let represent the number of abnormal remote accesses in the i-th risk link of the Industrial Internet, Db represent the link-defined packet loss rate, LC represent the defined CPU utilization, CP represent the defined measurement deviation of key process sensors, YC represent the number of abnormal remote accesses, S1 represent the weight coefficient corresponding to the link packet loss rate stored in the database, S2 represent the weight coefficient corresponding to the maximum CPU utilization stored in the database, S3 represent the weight coefficient corresponding to the average measurement deviation of key process sensors stored in the database, and S4 represent the weight coefficient corresponding to the number of abnormal remote accesses stored in the database.
[0038] It's important to note the close coupling between link packet loss rate, maximum CPU utilization, average measurement deviation of critical process sensors, and the number of abnormal remote accesses: An increased link packet loss rate typically leads to delays or loss of control command and feedback data transmission, increasing CPU processing pressure and causing peak fluctuations in CPU utilization. Simultaneously, due to incomplete or delayed transmission of control signals and sensor data, the average measurement deviation of critical process sensors may be amplified, reflecting a decrease in real-time control accuracy. An increase in the number of abnormal remote accesses can not only directly consume network bandwidth and cause localized packet loss, but may also trigger system protection mechanisms, leading to a sudden increase in CPU load and causing abnormal sensor data access, further amplifying measurement deviations. Conversely, if abnormal deviations in critical process sensors are not corrected in time, it may trigger frequent retransmissions or automatic correction actions in the control system, increasing link load and CPU utilization, accompanied by an increase in the number of abnormal access detections.
[0039] It should be noted that the weighting coefficients corresponding to the link packet loss rate, the maximum CPU utilization, the average measurement deviation of key process sensors, and the number of abnormal remote accesses are all stored in the database, and their values are usually preset between 0 and 1. For example, by constructing mapping tables between the link packet loss rate, the maximum CPU utilization, the average measurement deviation of key process sensors, and the number of abnormal remote accesses and their corresponding weighting coefficients, the real-time detected link packet loss rate, maximum CPU utilization, average measurement deviation of key process sensors, and number of abnormal remote accesses are input into the corresponding mapping tables in the database, thereby quickly obtaining the weighting coefficients corresponding to the link packet loss rate, the maximum CPU utilization, the average measurement deviation of key process sensors, and the number of abnormal remote accesses, respectively.
[0040] It should be noted that in the risk assessment of industrial internet security operations and maintenance, the link packet loss rate is obtained by continuously monitoring the data packet transmission status of the network link. Specifically, this is achieved by the network devices (such as routers and switches) automatically recording the total number of data packets sent and received using built-in counters, or by actively sending dedicated probe data packets (such as ICMP). The reliability of a link is quantified by pinging packets and calculating their loss ratio. The core calculation involves dividing the number of lost packets within a specific time period by the total number of packets sent within that time period, and then multiplying by the percentage. The maximum CPU utilization is obtained by periodically (usually every second or every few seconds) sampling the processor core's time in user mode, kernel mode, and idle mode using the operating system or hardware management controller. The ratio of active time to total sampling time is calculated to obtain an instantaneous utilization percentage. These instantaneous values are then continuously recorded over a slightly longer aggregation period (e.g., 1 minute or 5 minutes), and the highest percentage reading within that period is identified, reflecting the processor's peak load pressure and potential bottlenecks. The average measurement deviation of key process sensors first requires defining the corresponding process standard value or setpoint for each sensor. An automated system (e.g., PLC or DCS) reads the sensor's real-time measurement values at a fixed frequency (e.g., every second). Then, each reading is algebraically subtracted from its corresponding standard value to obtain the single... Each deviation (usually considering absolute values) is calculated, and then the sum of all individual deviations within a specific time period (such as a batch or an hour) is divided by the total number of valid readings within that time period. This yields the average degree to which the sensor measurement results deviate from the expected target, used to evaluate the accuracy of the measurement system. The statistics of abnormal remote access counts rely on real-time analysis and correlation of logs from remote access gateways (such as VPN servers, bastion hosts) and security systems (such as firewalls, IDS / IPS, SIEM). By setting a rule engine or deploying a behavioral analysis model, suspicious events such as logins during unauthorized time periods, abnormal origins (such as high-risk geographical locations), abnormal frequencies (such as short-term intensive attempts), use of non-standard protocol ports, access to unauthorized resources, brute-force attack behavior characteristics, and multiple accounts sharing credentials are identified. Each remote connection behavior that meets the preset abnormal criteria is counted as an abnormal event, and the counts of these independent events are accumulated within a summary period (such as daily or hourly).
[0041] Specifically, the initial screening of primary risk links in the Industrial Internet is carried out as follows: a risk detection sliding window is preset, primary risk factors of each risk link in the Industrial Internet are extracted in the sliding window, and compared with the primary risk factor thresholds of risk links stored in the database. If the primary risk factor of a certain risk link in the Industrial Internet is higher than or equal to the primary risk factor threshold, then the risk link is marked as the first risk link, thus obtaining each first risk link in the Industrial Internet. If the primary risk factor of a certain risk link in the Industrial Internet is lower than the primary risk factor threshold, then the risk link does not need to be marked as the first risk link.
[0042] It's important to note that the sliding window for risk detection is designed to enable continuous and dynamic monitoring of risky links in industrial internet security operations, rather than relying solely on transient data from a single moment. The industrial internet environment is characterized by high real-time performance, rapid data fluctuations, and frequent changes in link status. Using only single-collection data to assess risk is susceptible to instantaneous anomalies, acquisition noise, or brief network congestion, leading to false alarms or missed alarms. The sliding window smooths out short-term fluctuations. By statistically analyzing primary risk factors over continuous time periods, the system can capture trend changes in risk rather than isolated events, thus improving the reliability and robustness of risk assessment. Furthermore, the sliding window provides a time-based view of risk evolution, helping to identify cumulative changes in link status. For example, when the primary risk factor of a link consistently exceeds a threshold across multiple consecutive windows, the system can determine that the link carries a persistent or trending risk, rather than an isolated event, enabling more accurate risk classification and response strategy triggering. The sliding window also facilitates the use of short-term risk factor change rates as input indicators in subsequent dynamic prioritization and response adjustments, providing a data foundation for cross-validation of multi-level risk links and strategy optimization.
[0043] In the risk detection sliding window, the primary risk factors of each first risk link in the industrial internet are compared with the historical baseline range of the corresponding risk link stored in the database. If the primary risk factor of a first risk link in the industrial internet exceeds the historical baseline range of its corresponding risk link, then the first risk link is marked as a primary risk link. If the primary risk factor of a first risk link in the industrial internet does not exceed the historical baseline range of its corresponding risk link, then it is not necessary to mark the first risk link as a primary risk link.
[0044] It should be noted that if the current risk factor is higher than the upper limit of the range, it indicates that the risk level of the link is significantly higher than its historical normal state, which is a sign of increased risk or potential attack expansion. If the current risk factor is lower than the lower limit of the range, it indicates that the operation of the link is significantly weaker than expected, which may represent abnormal monitoring or the link being manipulated to circumvent regulations.
[0045] It should be noted that if the current risk factor is below the lower limit of the range, data integrity and collection link self-checks should be automatically triggered to verify whether the collection point is offline, whether the heartbeat / time synchronization is lost, whether the sampling frequency is downgraded or filtered (e.g., NetFlow / mirror is turned off), and whether the sensor or agent returns abnormal calibration values; at the same time, PCAP packet capture and deep packet inspection should be temporarily enabled to prevent adversarial methods such as silent injection, data suppression or replay attacks.
[0046] Specifically, the dynamic operational data of each primary risk link in the Industrial Internet is acquired and analyzed. The specific process is as follows:
[0047] Extract dynamic operational data from each primary risk link of the Industrial Internet, including detection coverage, intrusion detection hit rate, and the proportion of searchable sessions.
[0048] The second risk factor of each primary risk link in the Industrial Internet is obtained by weighted fusion of the detection coverage, intrusion detection hit rate and searchable session ratio. The second risk factor of each primary risk link in the Industrial Internet is used to quantitatively evaluate the observability and protection reliability of each primary risk link in the actual security monitoring and protection system.
[0049] It should be noted that in the industrial internet security operation and maintenance risk assessment, the second risk factor for each primary risk link is obtained by weighted fusion of the link's detection coverage, intrusion detection hit rate, and searchable session ratio. Detection coverage measures the completeness of monitoring of the link under the current probe, mirror, or collector deployment. This data can be obtained from network topology information and collector configuration statistics. The corresponding weight is usually named coverage weight and is used to adjust the influence of this indicator in the overall score. Intrusion detection hit rate reflects the proportion of confirmed attacks correctly detected by IDS, IPS, or security information event management systems on this link; its data comes from alarms. The record and event tracing comparison, the corresponding weight is usually named the hit rate weight, which indicates its contribution to the comprehensive score; the retrievable session ratio is used to measure the complete storage and traceability of session data or key messages in the link. Its data comes from session storage or log management system, and the corresponding weight is usually named the retrievability weight, which is used to reflect its relative importance in the comprehensive score. By normalizing the three indicators and merging them according to their respective weights, the second risk factor of each primary risk link of the industrial Internet is obtained. Through weighted fusion, various indicators can be unified to the same quantitative scale, which is convenient for overall comparison and priority ranking, thereby guiding operation and maintenance decisions and resource allocation.
[0050] Specifically, the process of obtaining each second risk link in the industrial internet is as follows:
[0051] A preset monitoring period is set, and the primary risk factors of each primary risk link of the Industrial Internet in the risk detection sliding window are obtained during the monitoring period. The difference between the primary risk factors of each primary risk link of the Industrial Internet in the risk detection sliding window and the primary risk factors of each primary risk link of the Industrial Internet in the previous window is calculated to obtain the short-term change rate of the risk factors of each primary risk link of the Industrial Internet.
[0052] It should be noted that the previous window typically represents the set of risk factor data corresponding to the time period preceding the current sliding window. Specifically, if the risk detection sliding window length is T (e.g., 5 minutes or 1 hour), then the previous window is the time period of the same length immediately preceding the current window.
[0053] Extract the short-term change rate of risk factors for each primary risk link of the Industrial Internet during the monitoring period, as well as the secondary risk factors for each primary risk link of the Industrial Internet.
[0054] The second risk factor of each primary risk link in the Industrial Internet is compared with the threshold of the second risk factor of the primary risk link stored in the database. If the second risk factor of a primary risk link in the Industrial Internet is lower than or equal to the threshold of the second risk factor of the primary risk link, then the primary risk link in the Industrial Internet is marked as a second risk link. If the second risk factor of a primary risk link in the Industrial Internet is higher than the threshold of the second risk factor of the primary risk link and the short-term change rate of the risk factor of the primary risk link in the Industrial Internet is positive, then the primary risk link in the Industrial Internet is also marked as a second risk link. Otherwise, the primary risk link in the Industrial Internet does not need to be marked as a second risk link. In this way, each second risk link in the Industrial Internet is obtained.
[0055] It should be noted that the smaller the value of the second risk factor, the lower the observability and protection reliability of the primary risk link in the actual security monitoring and protection system. That is, the link is not adequately monitored, the intrusion detection hit rate is insufficient, or the session retrievability is poor. This means that potential anomalies or attacks are more likely to be ignored or cannot be responded to in a timely manner, thus making the link pose a higher risk to the overall industrial internet system.
[0056] It should be noted that in the process of weighted fusion calculation of the second risk factor for each primary risk link in the industrial internet, indicators such as detection coverage, intrusion detection hit rate, and searchable session ratio need to be uniformly processed according to pre-set weights. The fusion method is usually weighted averaging, so that indicators of different dimensions and magnitudes can be combined into a unified second risk factor value. Since these indicators themselves represent observability and protection reliability, the higher the value, the stronger the link's monitoring, detection, and tracking capabilities, and thus the lower the risk. Conversely, the lower the value, the less visibility and protection capabilities, and the more difficult it is to discover and control potential threats, thus increasing the risk.
[0057] like Figure 3 As shown, Figure 3 The security operation and maintenance overview diagram provided in this embodiment of the invention displays key summary information, including the number of risk links with different priorities, the average dynamic risk score, and its comparison with the threshold, visualized with eye-catching color cards. The core area of the interface intuitively presents the connection status and priority color indicators of key links through a topology diagram. Meanwhile, the table on the right lists the ID, priority, comprehensive risk score, current handling status, and actionable quick operation buttons (such as viewing details and starting diagnostics) for each link, enabling users to quickly identify high-risk links and take initial action. The risk links with different priorities include dynamic priority ranking of each second risk link in the industrial internet. Specifically, during the monitoring period, the short-term change rate of the risk factors of each second risk link in the industrial internet is weighted and fused with the second risk factors of the corresponding second risk links in the industrial internet to obtain the dynamic comprehensive risk score of each second risk link in the industrial internet. The dynamic comprehensive risk score of each second risk link in the industrial internet is used to assess the overall risk level and risk priority of each link in the current operating environment.
[0058] It should be noted that the industrial internet security operation and maintenance risk assessment is based on two types of key parameters: one is the second risk factor of the second risk link, and the other is the short-term change rate of the risk factor of that link, which reflects the changing trend of link risk in the most recent monitoring period. The weights are usually visibility weight and trend weight, where the visibility weight corresponds to the second risk factor and reflects the proportion of link observability in the overall risk, and the trend weight corresponds to the short-term change rate and reflects the importance of the speed of link risk change in the comprehensive score. These weights are obtained in the system through historical data analysis or security policy settings. Finally, the second risk factor and the short-term change rate are multiplied by their respective weights and then merged to obtain the dynamic comprehensive risk score. This score reflects both the real-time changes in link risk and the reliability of the monitoring system, thereby supporting dynamic prioritization and reasonable allocation of security resources.
[0059] The dynamic comprehensive risk scores of each second risk link in the Industrial Internet are sorted from largest to smallest to obtain the dynamic priority of each second risk link in the Industrial Internet. The dynamic priority of each second risk link in the Industrial Internet includes first priority, second priority and third priority.
[0060] It's important to note that in the industrial internet security operation and maintenance risk assessment, the dynamic priority determination of the second-risk link does not solely rely on a single absolute indicator. Instead, it's based on the relative ranking of the dynamic comprehensive risk score within the global context, providing a more comprehensive picture of the link's true risk status in the current operating environment. Therefore, during ranking, links with higher scores indicate a higher current risk level and a faster potential spread, meaning a greater threat to overall system stability and critical asset security, and should be prioritized for handling and resource allocation. Conversely, links with lower scores indicate that their risk is within a controllable range and is unlikely to evolve into a major security incident in the short term, thus their priority is naturally lower. The ranking process typically also incorporates global risk distribution to dynamically adjust thresholds. For example, when the overall risk score of all links is high, the system automatically widens the priority gap. For instance, the top 20% of links are directly marked as first priority, requiring immediate response measures; links in the middle 40% are identified as second priority, requiring continuous monitoring and readiness for upgrades; and the bottom 40% are classified as third priority, requiring only routine inspections. Because links with higher risk scores not only have higher risks, but also change faster, and potential explosive risks are more likely to occur in the short term, security resources must be prioritized to deal with them.
[0061] like Figure 4 As shown, Figure 4 The risk link monitoring and priority interface diagram provided in this embodiment of the invention is used to track the progress of the monitoring cycle, the number of triggered alarms, and display the distribution of links with different priorities in real time. Risk link monitoring also includes adjusting the response triggering measures for each second risk link of the Industrial Internet. Specifically, during the monitoring cycle, the response triggering measures for each second risk link of the Industrial Internet are adjusted based on dynamic priority ranking.
[0062] When the dynamic priority of each second risk link in the Industrial Internet is the first priority, the trigger sensitivity, compensation control threshold and emergency isolation strategy will be adjusted.
[0063] When the dynamic priority of each secondary risk link in the Industrial Internet is the second priority, the trigger threshold and alarm strategy should be adjusted, and the data collection frequency and verification mechanism should be optimized.
[0064] When the dynamic priority of each second risk link in the Industrial Internet is the third priority, the routine inspection frequency, log collection integrity, and periodic risk score update mechanism will be adjusted.
[0065] It should be noted that for adjustments to response triggering measures for first, second, and third priority links, the system first compares the real-time dynamic comprehensive risk score of each link with the historical baseline range stored in the database. The difference between the current score and the upper limit of the baseline is used as the "risk offset value" and input into a preset policy mapping table. This table returns a set of quantifiable adjustment quantities based on historical operation and maintenance data, risk event handling experience, and trend fitting relationships. For first priority links, the mapping table outputs adjustment parameters, such as a percentage increase in alarm trigger sensitivity, a millisecond reduction in threshold response rate, the tightening of remote access control policies, the duration of temporary isolation of nodes or sessions, and the enhancement level of network-level traffic monitoring and intrusion detection rules. These parameters are derived from historical data statistics, trend analysis, and simulated attack experiments, and can be directly quantified and implemented. The system then inputs these adjustment quantities into the security constraint, checks them according to the minimum / maximum values set by the administrator, business rules, and methodological tolerances, and rounds them according to the system's allowed step size. For example, alarm sensitivity is in 0.01 step size, threshold response rate is in milliseconds, and isolation time is in minutes. After processing, the adjusted parameters are written to the policy library as versioned configurations and a canary release strategy is adopted. The new parameters are first applied to some devices or communication links, and alarm hit rate, false alarm rate, response latency, and anomaly handling success rate are monitored in real time during the canary release period. If the indicators during the canary release period reach the preset standards, the policy will be fully rolled out, and the newly generated data will be fed back to update the mapping table and optimize the protection rules. If the indicators do not meet the standards, the system will automatically roll back to the previous stable version and trigger manual intervention and investigation. The adjustment of the second priority links is also based on the risk offset value input into the mapping table, but the output adjustment is of medium intensity. For example, it may moderately increase the alarm trigger sensitivity, extend the response threshold time, increase the weight of traffic behavior analysis, and adjust the session audit frequency to ensure that the risk is controlled without interfering with business. The third priority links are mainly adjusted with low intensity parameters, mainly for routine inspections and periodic monitoring, such as adjusting the alarm threshold sampling frequency or periodically checking network traffic characteristics to ensure that the risk remains within a controllable range. The entire process forms a closed loop through quantification, constraints, gray-scale distribution, monitoring and verification, and feedback optimization, enabling response triggering measures to dynamically adapt to the risk status of different priority links, and achieving refined, traceable, and sustainable adjustment of high, medium, and low priority links.
[0066] Specifically, cross-validation is performed on the multi-level risk links of the Industrial Internet. The process is as follows: after adjusting the response triggering measures of each second risk link of the Industrial Internet, the second risk links of the Industrial Internet are reacquired and dynamically prioritized. The number of ranking downgrades of each second risk link of the Industrial Internet is counted. If the number of ranking downgrades of each second risk link of the Industrial Internet is higher than or equal to the ranking downgrade threshold stored in the database, no adjustment to the network security policy is required. If the number of ranking downgrades of each second risk link of the Industrial Internet is lower than the ranking downgrade threshold stored in the database, the network security policy is adjusted.
[0067] It should be noted that the number of second-risk links in the industrial internet is specifically determined by recalculating the dynamic priority of each second-risk link within the monitoring period after issuing and implementing response triggering measures for each primary-risk link, comparing the ranking before and after the adjustment, and counting the number of links that are downgraded to a lower priority or downgraded across levels (e.g., from first priority to second or third priority) in the new ranking. If the number of downgrades is greater than or equal to the preset downgrade threshold in the database, it indicates that the current handling strategy has achieved the expected effect overall, and the existing strategy should be maintained and enter the observation and verification phase to prevent short-term rebound. Conversely, if the number of downgrades is lower than the threshold, it indicates that the handling measures have failed to significantly reduce the overall risk or that there are blind spots in the coverage, and the network security strategy needs to be adjusted accordingly. All strategy adjustments must be verified by the constraint mechanism, and their effectiveness should be reviewed in the next monitoring period using the same downgrade statistics method to achieve closed-loop optimization.
[0068] Specifically, the process involves adjusting network security strategies and providing feedback on industrial internet security operation and maintenance risk assessments. The specific process is as follows: based on the dynamic priority of each second risk link in the industrial internet, the data drivers corresponding to each second risk link are determined and adjusted and optimized in real time, including adding traffic whitelist entries or extending the isolation period, and a feedback report is generated.
[0069] It should be noted that, firstly, dynamic comprehensive risk scores are collected for each primary and secondary risk link. These scores are then compared with corresponding thresholds stored in the database to calculate the deviation of each link from the threshold. This deviation directly reflects whether the link is still within a controllable risk range and what level of adjustment measures are needed. Next, the system calls the policy mapping table to map the deviation values to specific quantifiable adjustment actions. These actions include adding traffic whitelist entries to high-priority links, enabling secondary confirmation before executing high-risk commands, temporarily isolating high-risk nodes or sessions, adjusting intrusion detection thresholds, strengthening cross-regional traffic monitoring, and optimizing access control policies and log collection completeness. Each adjustment action includes clearly defined parameters, such as the number of new whitelist entries, the trigger threshold adjustment range, isolation duration, and collection frequency. A constraint mechanism is used for legality verification to ensure that the adjustments do not cause unnecessary interruptions or risks to the production system.
[0070] like Figure 5 As shown, the second aspect of the present invention also provides an industrial internet security operation and maintenance risk assessment system, including: a risk link construction and primary risk assessment module, used to collect initial information on the industrial internet operating environment, construct various risk links of the industrial internet, analyze various risk links of the industrial internet, obtain primary risk factors of various risk links of the industrial internet, and preliminarily screen various primary risk links of the industrial internet.
[0071] The Link Dynamic Assessment and Response Trigger Adjustment Module is used to acquire and analyze the dynamic operation data of each primary risk link in the Industrial Internet, obtain each secondary risk link in the Industrial Internet, dynamically prioritize each secondary risk link in the Industrial Internet, and adjust the response trigger measures for each secondary risk link in the Industrial Internet.
[0072] The verification and policy feedback closed-loop module is used to cross-verify the multi-level risk links of the industrial internet, adjust network security policies, and provide feedback on the security operation and maintenance risk assessment of the industrial internet.
[0073] It should also be understood that the memory in the embodiments of the present invention can be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. The non-volatile memory can be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), or flash memory. The volatile memory can be random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of random access memory (RAM) are available, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate synchronous DRAM (DDR SDRAM), enhanced synchronous DRAM (ESDRAM), synchronous linked DRAM (SLDRAM), and direct rambus RAM (DR RAM).
[0074] The above embodiments can be implemented, in whole or in part, by software, hardware (such as circuits), firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. A computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the flow or function according to the embodiments of the present invention is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. Computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., infrared, wireless, microwave, etc.) means. A computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. Available media can be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media. Semiconductor media can be solid-state drives.
[0075] It should be understood that the term "and / or" in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. A and B can be singular or plural. Additionally, the character " / " in this article generally indicates an "or" relationship between the preceding and following related objects, but it can also represent an "and / or" relationship. Please refer to the context for a more accurate understanding.
[0076] In this invention, "at least one" means one or more, and "more than one" means two or more. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of a single item or a plurality of items. For example, at least one of a, b, or c can represent: a, b, c, ab, ac, bc, or abc, where a, b, and c can be single or multiple.
[0077] It should be understood that, in various embodiments of the present invention, the order of the above-mentioned process numbers does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
[0078] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.
[0079] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the devices, apparatuses, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0080] In the embodiments provided by this invention, it should be understood that the disclosed devices, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another device, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.
[0081] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0082] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0083] If a function is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0084] The above are merely specific embodiments of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.
Claims
1. A method for assessing security operation and maintenance risks in the industrial internet, characterized in that, The method includes: Initial information is collected on the industrial internet operating environment, various risk links of the industrial internet are constructed, and these risk links are analyzed to obtain the primary risk factors of each risk link. The primary risk links of the industrial internet are then preliminarily screened. The dynamic operation data of each primary risk link of the Industrial Internet is obtained and analyzed to obtain each secondary risk link of the Industrial Internet. The secondary risk links of the Industrial Internet are dynamically prioritized and the response triggering measures of each secondary risk link of the Industrial Internet are adjusted. Cross-validate the multi-level risk links of the industrial internet, adjust network security strategies, and provide feedback on the security operation and maintenance risk assessment of the industrial internet; The specific process for cross-validating the multi-level risk links of the Industrial Internet is as follows: After adjusting the response triggering measures for each second risk link of the Industrial Internet, the second risk links of the Industrial Internet are reacquired and dynamically prioritized. The number of ranking downgrades for each second risk link of the Industrial Internet is counted. If the number of ranking downgrades for each second risk link of the Industrial Internet is higher than or equal to the ranking downgrade threshold stored in the database, no adjustment to the network security policy is required. If the number of ranking downgrades for each second risk link of the Industrial Internet is lower than the ranking downgrade threshold stored in the database, the network security policy is adjusted.
2. The industrial internet security operation and maintenance risk assessment method according to claim 1, characterized in that, The specific process for obtaining the primary risk factors for each risk link in the Industrial Internet is as follows: Acquire operational transmission data for each risky link in the Industrial Internet, including: link packet loss rate, maximum CPU utilization, average measurement deviation of key process sensors, and number of abnormal remote accesses; The primary risk factors for each risk link in the Industrial Internet are obtained by comparing the packet loss rate of each risk link with the defined packet loss rate stored in the database, the maximum CPU utilization with the defined CPU utilization stored in the database, the average measurement deviation of key process sensors with the defined measurement deviation of key process sensors stored in the database, and the number of abnormal remote accesses with the defined number of abnormal remote accesses stored in the database, and by introducing weighting coefficients. These primary risk factors are used to quantitatively assess the potential threat intensity of each link in the operating environment and its potential impact on the business continuity and control reliability of the overall Industrial Internet system.
3. The industrial internet security operation and maintenance risk assessment method according to claim 1, characterized in that, The preliminary screening of the primary risk links in the industrial internet is carried out as follows: A risk detection sliding window is preset. The primary risk factors of each risk link in the industrial internet are extracted in the sliding window and compared with the primary risk factor threshold of the risk link stored in the database. If the primary risk factor of a certain risk link in the industrial internet is higher than or equal to the primary risk factor threshold of the risk link, the risk link is marked as the first risk link. Thus, each first risk link in the industrial internet is obtained. If the primary risk factor of a certain risk link in the industrial internet is lower than the primary risk factor threshold of the risk link, the risk link does not need to be marked as the first risk link. In the risk detection sliding window, the primary risk factors of each first risk link in the industrial internet are compared with the historical baseline range of the corresponding risk link stored in the database. If the primary risk factor of a first risk link in the industrial internet exceeds the historical baseline range of its corresponding risk link, then the first risk link is marked as a primary risk link. If the primary risk factor of a first risk link in the industrial internet does not exceed the historical baseline range of its corresponding risk link, then it is not necessary to mark the first risk link as a primary risk link.
4. The industrial internet security operation and maintenance risk assessment method according to claim 1, characterized in that, The process of acquiring and analyzing dynamic operational data from each primary risk link in the Industrial Internet is as follows: Extract dynamic operational data from each primary risk link of the Industrial Internet, including detection coverage, intrusion detection hit rate, and the proportion of searchable sessions; The second risk factor of each primary risk link in the Industrial Internet is obtained by weighted fusion of the detection coverage, intrusion detection hit rate and searchable session ratio. The second risk factor of each primary risk link in the Industrial Internet is used to quantitatively evaluate the observability and protection reliability of each primary risk link in the actual security monitoring and protection system.
5. The industrial internet security operation and maintenance risk assessment method according to claim 4, characterized in that, The specific process for obtaining each second risk link of the Industrial Internet is as follows: A preset monitoring period is set, and the primary risk factors of each primary risk link of the Industrial Internet in the risk detection sliding window are obtained during the monitoring period. The difference between the primary risk factors of each primary risk link of the Industrial Internet in the risk detection sliding window and the primary risk factors of each primary risk link of the Industrial Internet in the previous window is calculated to obtain the short-term change rate of the risk factors of each primary risk link of the Industrial Internet. Extract the short-term change rate of risk factors of each primary risk link of the Industrial Internet during the monitoring period, as well as the secondary risk factors of each primary risk link of the Industrial Internet. The second risk factor of each primary risk link in the Industrial Internet is compared with the threshold of the second risk factor of the primary risk link stored in the database. If the second risk factor of a primary risk link in the Industrial Internet is lower than or equal to the threshold of the second risk factor of the primary risk link, then the primary risk link in the Industrial Internet is marked as a second risk link. If the second risk factor of a primary risk link in the Industrial Internet is higher than the threshold of the second risk factor of the primary risk link and the short-term change rate of the risk factor of the primary risk link in the Industrial Internet is positive, then the primary risk link in the Industrial Internet is also marked as a second risk link. Otherwise, the primary risk link in the Industrial Internet does not need to be marked as a second risk link. In this way, each second risk link in the Industrial Internet is obtained.
6. The industrial internet security operation and maintenance risk assessment method according to claim 5, characterized in that, The specific process for dynamically prioritizing each second risk link in the Industrial Internet is as follows: During the monitoring period, the short-term change rate of the risk factors of each second risk link of the Industrial Internet is weighted and integrated with the second risk factors of each second risk link of the Industrial Internet to obtain the dynamic comprehensive risk score of each second risk link of the Industrial Internet. The dynamic comprehensive risk score of each second risk link of the Industrial Internet is used to evaluate the overall risk level and risk priority of each link in the current operating environment. The dynamic comprehensive risk scores of each second risk link in the Industrial Internet are sorted from largest to smallest to obtain the dynamic priority of each second risk link in the Industrial Internet. The dynamic priority of each second risk link in the Industrial Internet includes a first priority, a second priority, and a third priority.
7. The industrial internet security operation and maintenance risk assessment method according to claim 6, characterized in that, The specific process for adjusting the response triggering measures for each second risk link in the Industrial Internet is as follows: During the monitoring period, the response triggering measures for each second risk link of the Industrial Internet are adjusted according to the dynamic priority ranking of each second risk link. When the dynamic priority of each second risk link in the industrial internet is the first priority, the trigger sensitivity, compensation control threshold and emergency isolation strategy will be adjusted. When the dynamic priority of each second risk link in the Industrial Internet is the second priority, the trigger threshold and alarm strategy should be adjusted, and the data collection frequency and verification mechanism should be optimized. When the dynamic priority of each second risk link in the Industrial Internet is the third priority, the frequency of routine inspections, the completeness of log collection, and the periodic risk score update mechanism will be adjusted.
8. The industrial internet security operation and maintenance risk assessment method according to claim 1, characterized in that, The specific process of adjusting network security strategies and providing feedback on industrial internet security operation and maintenance risk assessment is as follows: Based on the dynamic priority of each second risk link in the Industrial Internet, the corresponding data-driven approach for each second risk link is determined and adjusted and optimized in real time, including adding traffic whitelist entries or extending the isolation period, and a feedback report is generated.
9. A system applying the industrial internet security operation and maintenance risk assessment method as described in any one of claims 1-8, comprising: The Risk Link Construction and Primary Risk Assessment module is used to collect initial information on the industrial internet operating environment, construct various risk links of the industrial internet, analyze each risk link of the industrial internet, obtain the primary risk factors of each risk link of the industrial internet, and preliminarily screen the primary risk links of the industrial internet. The Link Dynamic Assessment and Response Trigger Adjustment Module is used to acquire and analyze the dynamic operation data of each primary risk link in the Industrial Internet, obtain each secondary risk link in the Industrial Internet, dynamically prioritize each secondary risk link in the Industrial Internet, and adjust the response trigger measures for each secondary risk link in the Industrial Internet. The verification and policy feedback closed-loop module is used to cross-verify the multi-level risk links of the industrial internet, adjust network security policies, and provide feedback on the security operation and maintenance risk assessment of the industrial internet.