A unified identity authentication and authorization method and system in an industrial network environment

Abstract

A unified identity authentication and authorization method and system for an industrial network environment, relating to the field of digital information transmission, is disclosed. In this method, user permissions are initially limited to read-only mode. When a user submits a job request, a standard operation flowchart is retrieved based on the work order. By comparing the current physical state of the equipment with the preconditions of the nodes in the flowchart, the system determines the currently executable operation nodes. Subsequently, the system combines and encrypts the instruction information to be executed, the status conditions, and the session identifier to generate a single-use valid authorization credential. When the industrial control gateway receives an instruction request, it verifies the validity of the authorization credential and the conformity of the equipment status, temporarily opens the instruction writing channel, and immediately closes the channel and cancels the credential after the instruction is issued. This application aims to reduce the risk of disruption to normal industrial production caused by unauthorized account use or unintentional misuse by internal personnel at unnecessary times.

Description

Technical Field

[0001] This application belongs to the field of digital information transmission, and in particular relates to a unified identity authentication and authorization method and system in an industrial network environment. Background Technology

[0002] With the deepening application of Industrial Internet technology, modern chemical enterprises are gradually interconnecting their Production Execution Systems (PIS) with underlying equipment control systems. Because this involves numerous business subsystems and control units developed by different vendors, traditional authentication methods are typically maintained independently by each system. This forces maintenance personnel to repeatedly switch between multiple login interfaces when performing cross-regional or cross-system inspections or operations. This not only reduces the efficiency of on-site operations but also, due to fragmented access control, makes it difficult for administrators to uniformly audit and control the access behavior of all personnel across the plant. This can easily lead to delayed access updates due to personnel changes, thereby increasing the security risks of unauthorized access or misoperation.

[0003] In related technologies, single sign-on is typically achieved by deploying a centralized authentication database and using standard protocols such as OAuth 2.0. This allows users to obtain an access token with only one authentication and pass through different related systems. Simultaneously, multi-factor authentication is performed using biometric features such as fingerprints and iris scans, as well as smart work cards with embedded RFID chips. A permission change monitoring mechanism is also implemented, which periodically synchronizes employee job change information from the human resources system to automatically refresh permission configurations. Combined with rule-based anomaly detection, this enhances operational convenience and basic security in industrial network environments.

[0004] However, the authorization logic of related technologies mainly relies on a static mapping relationship between user identity and preset roles. This means that as long as the user's job role remains unchanged and login verification is successful, their control over key equipment or core parameters will remain active throughout the entire session or role validity period. This authorization model allows users to maintain full operational capabilities over the industrial control system even during non-operational periods or when no sensitive operations are required, creating a continuously open operational window. This increases the risk of disruption to normal industrial production due to unauthorized account misuse or unintentional touches by internal personnel at unnecessary times. Summary of the Invention

[0005] This application provides a unified identity authentication and authorization method and system in an industrial network environment, which reduces the risk of disrupting normal industrial production due to account misuse by others or unintentional misuse by internal personnel at unnecessary times.

[0006] Firstly, this application provides a unified identity authentication and authorization method in an industrial network environment. After confirming that the user's login request has been verified, an identity session is established with the user terminal, and the initial permissions of the identity session are configured to read-only monitoring mode.

[0007] Receive a user's job request based on a specific work order, and retrieve the standard operation flowchart associated with the specific work order from the preset database. The standard operation flowchart is a directed graph consisting of several sequentially connected operation nodes, and each operation node has a preset corresponding device status prerequisite.

[0008] The first physical state vector of the target device is collected and compared with the device state preconditions of the operation node in the standard operation flowchart to determine the target operation node. The target operation node contains a unique atomic instruction to be executed and the corresponding target device state preconditions.

[0009] The instruction code of the unique atomic instruction to be executed, the identification information of the target device state preconditions, and the identifier of the identity session are combined and a single valid authorization credential is generated through an encryption algorithm.

[0010] When the industrial control gateway receives the data packet submitted by the user terminal and parses out the control command to be executed and the single valid authorization credential, it collects the current physical state vector of the target device.

[0011] If the session identifier is valid, the control command to be executed in the data packet is consistent with the command code in the single valid authorization credential, and the current physical state vector meets the preconditions of the target device state, the write channel for the control command to be executed is temporarily opened.

[0012] The control command to be executed is transmitted to the target device for execution, and the write channel is closed immediately after the control command to be executed is transmitted.

[0013] Cancel a single valid authorization certificate.

[0014] By adopting the above technical solution, and configuring initial read-only monitoring permissions by default after user login verification, combined with work order-based standard operation flowcharts for job management, the system can decompose complex operation processes into atomic instructions with clear preconditions. The system collects the physical status of equipment in real time and compares it with the preconditions of operation nodes to accurately locate the target operation node that is currently allowed to execute. For each specific atomic instruction, the system dynamically generates a single-use valid authorization credential and ensures the integrity of the scenario during instruction execution through multiple verifications at the gateway layer. By temporarily opening the write channel and immediately closing it after instruction transmission, the time window for industrial control systems to be exposed to high-privilege operation states is reduced. This reduces the risk of disruption to normal industrial production due to unauthorized account use or unintentional touches by internal personnel at unnecessary times.

[0015] In conjunction with some implementations of the first aspect, in some implementations, the first physical state vector is compared with the equipment state prerequisites of the operation node in the standard operating procedure diagram to determine the target operation node, specifically including:

[0016] Construct a logical interlock topology diagram of the target device and its associated devices;

[0017] Based on the logical interlock topology diagram, auxiliary status data of associated devices are collected;

[0018] The first physical state vector is correlated with the auxiliary state data to generate a composite scene state set;

[0019] Traverse the standard operation flowchart and analyze the preset scenario integrity constraints of each operation node. The preset scenario integrity constraints are that the target device itself meets the requirements and the auxiliary status of the associated device meets the interlocking logic.

[0020] Logical operations are performed to match the composite scenario state set with the preset scenario integrity constraints of each operation node.

[0021] The operation node that satisfies all interlocking logic is identified as the target operation node.

[0022] By adopting the above technical solution, when matching operation nodes, the system not only considers the physical state of the target device but also combines it with auxiliary state data of related devices for comprehensive analysis, generating a more complete set of composite scenario states. By performing logical operations to match the composite scenario state set with preset scenario integrity constraints, the system can more accurately identify operation nodes that satisfy all interlocking logic. This state analysis method based on device relationships improves the system's perception and judgment accuracy of complex industrial scenarios and reduces the risk of misjudgment caused by mutual influence between devices.

[0023] In conjunction with some implementations of the first aspect, in some implementations, the first physical state vector is compared with the equipment state prerequisites of the operation node in the standard operating procedure diagram to determine the target operation node, specifically including:

[0024] Retrieve the status change log of the target device within a preset historical time window and identify the historical final state node of the target device at the end of the last operation;

[0025] Based on the standard operation flowchart, retrieve all legal successor paths starting from the historical final state node to construct the allowed state transition space at the current moment;

[0026] Functional semantic mapping is performed on the first physical state vector to convert discrete sensor values ​​into corresponding current functional state descriptions;

[0027] If it is determined that the current functional state description falls within the allowed state transition space, the node in the allowed state transition space corresponding to the current functional state description is determined as the target operation node.

[0028] By employing the above technical solution and analyzing the device's state change logs within a preset historical time window, the system can identify the device's historical final state nodes and construct the permissible state transition space for the current moment based on this. Discrete sensor values ​​are converted into current functional state descriptions through functional semantic mapping, enabling the system to understand the device state at a higher level of abstraction. By verifying whether the current functional state falls within the permissible state transition space and determining the target operation node accordingly, the system's understanding of the device state evolution process is deepened. This analysis method, which considers historical state evolution trajectories, improves the system's ability to identify abnormal state transitions and reduces the risk of erroneous authorizations due to state judgment biases.

[0029] In some embodiments, in conjunction with the first aspect, after comparing the first physical state vector with the equipment state prerequisites of the operation node in the standard operating procedure diagram to determine the target operation node, the method further includes:

[0030] Calculate the current state change rate of the target device based on the historical time series data of the first physical state vector;

[0031] Based on the first physical state vector, the state change rate, and the preset command transmission delay, the estimated state value of the target device at the time of command execution is calculated.

[0032] Compare the estimated state value with the device state prerequisites corresponding to the target operation node;

[0033] Only when the estimated state value meets the device state prerequisites of the target operation node, the step of combining the instruction code of the unique atomic instruction to be executed, the identification information of the target device state prerequisites, and the identifier of the identity session is performed.

[0034] By employing the aforementioned technical solution, and by calculating the current rate of change of the device's state, combined with the physical state vector and preset command transmission delay, the system can predict the device's state value at the time of command execution. The predicted state value is compared in advance with the preconditions of the target operation node, avoiding the lag problem that may arise from relying solely on static state judgment. This state prediction-based advance verification mechanism improves the system's adaptability to dynamically changing scenarios, reduces the timeliness problem of authorization caused by rapid changes in device state, and makes operation authorization decisions more in line with the real-time requirements of industrial control systems. This dynamic prediction method also improves the system's control accuracy in high-speed state change scenarios and reduces the impact of state deviation between the command execution time and the state acquisition time.

[0035] In conjunction with some implementations of the first aspect, in some implementations, the step of calculating the estimated state value of the target device at the time of instruction execution based on the first physical state vector, the state change rate, and the preset instruction transmission delay is specifically calculated using the following formula:

[0036]

[0037] in, To predict the state value, This represents the value of the first physical state vector. The rate of change of state. To preset the command transmission delay, It is the changing acceleration.

[0038] By adopting the above technical solution and introducing a state prediction calculation formula, the system can predict the future state of the device before the command is executed. This formula not only considers the current state value but also incorporates the rate of state change and acceleration into the calculation, making the prediction results more accurate. Since the calculation includes network transmission latency, the system can accurately predict the actual physical state of the device when the command arrives for execution. This prediction mechanism enables the system to maintain high control accuracy even in scenarios with rapidly changing states, reducing the command execution failure rate caused by state prediction errors. Simultaneously, by predicting the state value at the execution moment in advance, the system can detect potential state conflicts early, reducing the risk of safety accidents during command execution. This physical model-based prediction method improves the system's adaptability to dynamic operating conditions and enhances the reliability of industrial control systems under complex operating conditions.

[0039] In conjunction with some implementations of the first aspect, in some implementations, after canceling a single valid authorization credential, the method further includes:

[0040] Acquire the second physical state vector of the target device after executing the control command to be executed;

[0041] Obtain the post-expected state conditions of the target operation node in the standard operation flowchart;

[0042] Compare the second physical state vector with the subsequent expected state conditions;

[0043] If the second physical state vector satisfies the subsequent expected state condition, then the current job pointer of the identity session in the standard job flowchart will be updated to the next operation node.

[0044] By adopting the above technical solution, the system establishes a closed-loop command execution effect verification mechanism by collecting the physical state of the equipment after command execution and comparing it with the expected state. This mechanism verifies the actual execution effect of control commands through real-time status feedback, improving the system's ability to identify abnormal operating conditions. When the execution result meets expectations, the system automatically advances the work process, pointing the work pointer to the next operation node, improving the continuity of work execution. This work advancement mechanism based on physical feedback reduces the risk of human judgment errors and improves the accuracy of work execution. By closely linking changes in physical state with standard operating procedures, the system enhances its ability to perceive the actual operating status of the equipment and improves the operational stability of the industrial control system.

[0045] In conjunction with some implementations of the first aspect, in some implementations, after comparing the second physical state vector with the subsequent expected state conditions, the method further includes:

[0046] If the second physical state vector does not satisfy the subsequent expected state condition, a process lock signal is generated;

[0047] In response to a process lock signal, the identity session is prohibited from generating a single valid authorization credential for the next operation node in the standard operation flowchart.

[0048] By adopting the above technical solution and introducing a process locking mechanism, the system can automatically block the generation of authorization for subsequent instructions when it detects an abnormal instruction execution result. This automatic locking mechanism based on execution results reduces the possibility of the spread of abnormal operating conditions. When a control instruction fails to adjust the equipment to the expected state, the system restricts the user from continuing to perform subsequent operations by prohibiting the generation of new authorization credentials. This protection mechanism improves the system's fault tolerance when the equipment responds abnormally and reduces the risk of equipment damage caused by forcibly continuing to execute subsequent instructions. By promptly cutting off the authorization chain under abnormal operating conditions, the system improves the security of industrial control processes and enhances the protection capabilities of industrial control systems under complex operating conditions.

[0049] Secondly, embodiments of this application provide a unified identity authentication and authorization system in an industrial network environment. The unified identity authentication and authorization system in the industrial network environment includes: one or more processors and a memory; the memory is coupled to one or more processors, the memory is used to store computer program code, the computer program code includes computer instructions, and one or more processors call the computer instructions to cause the system to perform the method described in the first aspect and any possible implementation of the first aspect.

[0050] Thirdly, embodiments of this application provide a computer-readable storage medium including instructions that, when executed on a system, cause the system to perform the method described in the first aspect and any possible implementation thereof.

[0051] Fourthly, embodiments of this application provide a computer program product that, when run on a system, causes the system to execute the method described in any possible implementation of the first aspect.

[0052] One or more technical solutions provided in the embodiments of this application have at least the following technical effects or advantages:

[0053] 1. This application provides a unified identity authentication and authorization method in an industrial network environment. By configuring initial read-only monitoring permissions by default after user login verification, and combining this with standard work flow diagrams based on work orders for job management, the system can decompose complex operation processes into atomic instructions with clear preconditions. The system collects the physical status of equipment in real time and compares it with the preconditions of the operation nodes to accurately locate the target operation node currently allowed to execute. For each specific atomic instruction, the system dynamically generates a single-use valid authorization credential and ensures the integrity of the scenario during instruction execution through multiple verifications at the gateway layer. By temporarily opening the write channel and immediately closing it after instruction transmission, the time window for industrial control systems to be exposed to high-privilege operation states is reduced. This reduces the risk of disruption to normal industrial production due to unauthorized account use or unintentional misuse by internal personnel at unnecessary times.

[0054] 2. This application provides a unified identity authentication and authorization method in an industrial network environment. By calculating the current state change rate of the device and combining it with the physical state vector and preset command transmission delay, the system can predict the device state value at the time of command execution. The predicted state value is compared in advance with the preconditions of the target operation node, avoiding the lag problem that may arise from relying solely on static state judgment. This state prediction-based advance verification mechanism improves the system's adaptability to dynamically changing scenarios, reduces the authorization timeliness problem caused by rapid changes in device state, and makes operation authorization decisions more in line with the real-time requirements of industrial control systems. This dynamic prediction method also improves the system's control accuracy in high-speed state change scenarios and reduces the impact of state deviation between the command execution time and the state acquisition time.

[0055] 3. This application provides a unified identity authentication and authorization method in an industrial network environment. By collecting the physical state of the equipment after instruction execution and comparing it with the expected state, the system establishes a closed-loop instruction execution effect verification mechanism. This mechanism verifies the actual execution effect of control instructions through real-time status feedback, improving the system's ability to identify abnormal operating conditions. When the execution result meets expectations, the system automatically advances the work process, pointing the work pointer to the next operation node, improving the continuity of work execution. This work advancement mechanism based on physical feedback reduces the risk of human error and improves the accuracy of work execution. By closely linking changes in physical state with standard operating procedures, the system enhances its ability to perceive the actual operating status of equipment and improves the operational stability of the industrial control system. Attached Figure Description

[0056] Figure 1 This is a flowchart illustrating a unified identity authentication and authorization method in an industrial network environment, as described in this application.

[0057] Figure 2 This is another flowchart illustrating a unified identity authentication and authorization method in an industrial network environment, as described in this application embodiment.

[0058] Figure 3 This is another flowchart illustrating a unified identity authentication and authorization method in an industrial network environment, as described in this application.

[0059] Figure 4 This is a schematic diagram of the physical device structure of a unified identity authentication and authorization system in an industrial network environment provided in an embodiment of this application. Detailed Implementation

[0060] The terminology used in the following embodiments of this application is for the purpose of describing particular embodiments only and is not intended to be limiting of this application. As used in the specification and appended claims of this application, the singular expressions “a,” “an,” “the,” “the,” “the,” and “this” are intended to include the plural expressions as well, unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used in this application refers to any or all possible combinations including one or more of the listed items.

[0061] Hereinafter, the terms "first" and "second" are used for descriptive purposes only and should not be construed as implying or suggesting relative importance or implicitly indicating the number of indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature, and in the description of the embodiments of this application, unless otherwise stated, "multiple" means two or more.

[0062] The following example is used in conjunction with Figure 1 This application describes a unified identity authentication and authorization method in an industrial network environment:

[0063] Please see Figure 1 This is a flowchart illustrating a unified identity authentication and authorization method in an industrial network environment, as described in this application.

[0064] S101. After confirming that the user's login request has been verified, establish an identity session with the user's terminal and configure the initial permissions of the identity session to read-only monitoring mode.

[0065] The system first verifies the user's login request, then establishes an identity session with the user's terminal, configuring the initial permissions of the identity session to read-only monitoring mode. In this process, the user terminal refers to the hardware device used by the user to initiate interactive operations, including but not limited to industrial tablet PCs, engineering workstation PCs, handheld PDAs, or smart wearable devices with a human-computer interaction interface; this device is not limited to a specific operating system or hardware architecture. Successful login request verification refers to the system verifying and confirming the legitimacy of the user's submitted identity credentials. Identity credentials may include username and password combinations, biometric information (such as fingerprints or iris scans), physical tokens, or digital certificates. The verification method is not limited to a single mode and can be multi-factor authentication. An identity session refers to a persistent logical connection state established between the server and client, used to identify the user's identity and context information in subsequent interactions; this session has a unique lifecycle identifier. Initially configuring read-only monitoring mode means that in the initial stage of session establishment, the system forcibly sets a minimum privilege state. In this state, users are only allowed to view system data, device status, log information, or reports, and are strictly prohibited from executing any write commands that could change the physical state of the device, modify control parameters, or produce actual actions. This read-only monitoring mode is a default security policy designed to prevent users from accidentally operating industrial equipment before specifying specific work tasks. After confirming the user's legitimate identity, the system generates a session object in memory or the database. This object contains the user's basic attributes, login time, and permission list. The permission list is strictly restricted to read operations during initialization, blocking all access to control interfaces.

[0066] To achieve the above steps, the system can employ a token-based identity management mechanism. Specifically, after the system verifies that the user-submitted credentials (such as an encrypted password hash) match the information stored in the database, it generates a JSON Web Token (JWT) containing the user ID, expiration time, and permission scope (set to ROLE_READ_ONLY at this point) using a server-side key. The system returns this token to the user terminal and requires the terminal to include the token in the header of all subsequent HTTP requests. When the server-side middleware intercepts a request, it parses the permission fields in the token. If it finds that the user is attempting to access a non-read-only interface, it directly intercepts the request and returns an insufficient permission error code.

[0067] Another implementation is based on server-side session storage and access control lists (ACLs). After successful authentication, the system creates a Session structure in the server's in-memory database (such as Redis) and generates a random Session ID, which is sent to the user's terminal via a cookie. This Session structure has a field named Current_Privilege_Level, which the system initializes to LEVEL_MONITOR. Simultaneously, the system backend is configured with a role-based access control interceptor that maintains a mapping table between URLs and permission levels. When a user initiates a request, the interceptor retrieves the corresponding permission level based on the Session ID. The request is only allowed if the minimum access requirement of the target resource is less than or equal to LEVEL_MONITOR; otherwise, the user is redirected to a page without permission.

[0068] S102. Receive the job request initiated by the user based on a specific work order, and retrieve the standard job flowchart associated with the specific work order from the preset database.

[0069] The system receives job requests initiated by users based on specific work orders and retrieves the standard operation flowchart associated with those work orders from a pre-set database. The standard operation flowchart is a directed graph consisting of several sequentially connected operation nodes, with each operation node having pre-set corresponding equipment status prerequisites. The specific work order refers to a uniquely numbered task instruction issued in industrial production activities, containing metadata such as production batch, product model, and process route ID. The work order can originate from an MES (Manufacturing Execution System) or ERP (Enterprise Resource Planning) system. The job request is a trigger signal generated when the user selects the work order on the terminal interface and clicks "Start Job" or a similar control. The pre-set database refers to the data storage medium storing various process definitions, equipment parameters, and relationships; it can be a relational database, graph database, or distributed file system. The standard operation flowchart is defined as a directed graph consisting of several sequentially connected operation nodes. The edges in the directed graph represent the flow direction of the process, and infinite loop paths are not allowed. An operation node is a unit in a flowchart that represents a specific action to be performed, such as atomic or combined operations like "open a valve," "set a temperature," or "start a motor." Each operation node has pre-defined equipment state prerequisites, which means that a set of physical or logical constraints must be met before the action represented by that node can be executed, such as "temperature is below 100 degrees" or "foreground pump has stopped." The system parses the process route ID in the work order and retrieves the corresponding flowchart data structure from the database. This data structure fully describes all steps from the start to the end of the operation and their dependencies.

[0070] To retrieve standard operation flowcharts from the database, the system employs graph database-based storage and retrieval technology. The system pre-builds a model of nodes and relationships in a pre-defined database, where nodes represent operation steps and relationships represent the flow sequence (e.g., NEXT_STEP). Each node entity stores attribute data, including operation instruction codes, device IDs, and device status preconditions stored in JSON format. When a job request is received, the system uses a graph query language (e.g., Cypher) to perform a traversal query based on the process ID associated with the work order as the entry node. This retrieves all child nodes under that process ID and their connections, and the query results are serialized into an object graph containing a list of nodes and edges, which is then returned to memory for processing.

[0071] Another implementation approach is based on an adjacency list model using a relational database management system (RDBMS). The system designs a "process node table" in the database, containing fields such as "node ID," "process ID," "parent node ID," "child node ID," "instruction content," and "precondition rules." The "precondition rules" field can store reference keys pointing to specific rule sets in the rule engine. When the system receives a job request, it retrieves all records matching the process ID using an SQL query and reassembles these discrete records into a complete directed acyclic graph (DAG) data structure in the application's memory based on parent-child node relationships using either depth-first search (DFS) or breadth-first search (BFS) algorithms, for subsequent logical use.

[0072] S103. Collect the first physical state vector of the target device and compare the first physical state vector with the device state prerequisites of the operation node in the standard operation flowchart to determine the target operation node.

[0073] The system acquires the first physical state vector of the target device and compares it with the device state preconditions of the operation nodes in the standard operating procedure diagram to determine the target operation node. Each target operation node contains a unique atomic instruction to be executed and its corresponding target device state preconditions. The step of comparing the first physical state vector with the device state preconditions of the operation nodes in the standard operating procedure diagram to determine the target operation node can be implemented in at least two of the following ways.

[0074] The system can construct a logical interlock topology diagram of the target device and its associated devices; based on the logical interlock topology diagram, it collects auxiliary status data of the associated devices; it performs correlation analysis between the first physical state vector and the auxiliary status data to generate a composite scenario state set; it traverses the standard operation flowchart, parses the preset scenario integrity constraints of each operation node, and the preset scenario integrity constraints are that the target device's own state meets the requirements, and the auxiliary states of the associated devices meet the interlock logic; it performs logical operations to match the composite scenario state set with the preset scenario integrity constraints of each operation node; and it determines the operation node that satisfies all interlock logic as the target operation node.

[0075] The system first constructs a logical interlocking topology diagram between the target device and related devices (such as upstream and downstream devices, and redundant devices), defining the dependencies and exclusions between devices. The system collects auxiliary status data (such as the start / stop status of related pumps) from related devices via an industrial bus, combines this data with the first physical state vector of the target device, and uses a data fusion algorithm to generate a composite scenario state set. Next, the system traverses the standard operating procedure flowchart, parsing the preset scenario integrity constraints of each operation node (i.e., its own state is satisfied and the interlocking logic is valid). Using Boolean logic operations or a rule matching engine, the system matches the composite scenario state set with the constraints of each node one by one, selecting nodes that satisfy all interlocking logic as the target operation nodes.

[0076] The system can also retrieve the status change log of the target device within a preset historical time window and identify the historical final state node where the target device was at the end of the last operation; based on the standard operation flowchart, it retrieves all legal successor paths starting from the historical final state node to construct the allowed state transition space at the current moment; it performs functional semantic mapping on the first physical state vector to convert discrete sensor values ​​into corresponding current functional state descriptions; if it is determined that the current functional state description falls within the allowed state transition space, the node in the allowed state transition space corresponding to the current functional state description is identified as the target operation node.

[0077] The system queries a pre-defined time-series database to obtain the status change logs of the target device within a pre-defined historical time window. By analyzing the timestamps and status values ​​in the logs, it identifies the historical final state node at the end of the previous operation. Based on the directed structure of the standard operation flowchart, the system retrieves all direct successor paths originating from this historical final state node, constructing the permissible state transition space at the current moment (i.e., focusing only on possible next steps, rather than a full graph search). The system performs functional semantic mapping on the collected first physical state vector, converting continuous analog quantities (e.g., water level 50cm in a water tank) into discrete functional state descriptions (e.g., "water level normal"). Finally, the system determines whether the current functional state description falls within the permissible state transition space; if so, the corresponding node is locked as the target operation node.

[0078] S104. Combine the instruction code of the unique atomic instruction to be executed, the identification information of the target device state preconditions, and the identifier of the identity session, and generate a single valid authorization credential through an encryption algorithm.

[0079] Instruction codes refer to machine codes or communication protocol messages that can be directly recognized and executed by industrial control equipment. The identification information of the target device status preconditions can be the hash value of the precondition rules or a database primary key ID, used for retrospective verification of environment requirements in subsequent verification. Combination refers to concatenating the above multi-source data into a single raw data packet to be signed according to a predetermined format. Encryption algorithms refer to cryptographic algorithms used to generate digital signatures or message authentication codes. A single-use valid authorization credential is an encrypted string that is immutable and valid only within the current specific operating context; it becomes invalid once used or the environment changes.

[0080] To generate a single-use valid authorization credential, the system employs symmetric encryption technology based on Hash Message Authentication Code (HMAC). The system first concatenates the instruction code, precondition ID, session ID, a randomly generated nonce (a one-time random number), and the current timestamp into a string in a specific order. Then, using a key pre-shared between the server and gateway, the system performs an HMAC-SHA256 operation on this string; the resulting hash value is the authorization credential. This credential is packaged together with the original data.

[0081] Another implementation is based on asymmetric encryption digital signature technology. The system possesses a public-private key pair. The private key is stored in a secure key management service, while the public key is deployed on the industrial control gateway. The system calculates a digest of the combined data and then uses the private key to encrypt the digest to generate a digital signature. This digital signature serves as a single-use valid authorization credential. In this approach, the gateway does not need to hold a sensitive shared key; it only needs to verify the signature using the public key, resulting in higher security and suitability for distributed architectures.

[0082] S105. When the industrial control gateway receives the data packet submitted by the user terminal and parses out the control command to be executed and the single valid authorization credential, it collects the current physical state vector of the target device.

[0083] An industrial control gateway is a hardware or software facility deployed at the boundary between IT and OT networks, possessing protocol conversion, data isolation, and security filtering capabilities. A data packet is a network message containing instructions, credentials, and metadata. Parsing refers to the process by which the gateway unpacks data according to the agreed communication protocol and extracts key fields. The current physical state vector refers to the gateway's proactive real-time query to the underlying control device to obtain the latest sensor values ​​at the moment the verification logic is executed. This step is crucial because it ensures that verification is based on the device state "at this very moment," not on the state at the time the user initiated the request.

[0084] To achieve gateway resolution and status acquisition, the system can adopt an implementation method based on deep packet inspection and active polling. The industrial control gateway runs a high-performance packet processing program. When the network interface receives a TCP / IP packet, the program identifies the application layer protocol header, extracts the JSON data in the payload, and separates the instruction field and credential string. Subsequently, the gateway uses its built-in industrial protocol driver to immediately construct a request frame to read the holding register based on the target device address involved in the instruction, sends it to the corresponding PLC, and synchronously waits for the PLC to return a response frame, parsing the response data into the current physical state vector.

[0085] Another implementation approach is a local data collection method based on an edge computing agent. A lightweight edge computing service is deployed inside the gateway, which maintains a real-time cache of the target device's image state using a publish-subscribe pattern. When the gateway receives a request from a user terminal and parses the instruction, it does not directly initiate network polling but instead reads the latest state snapshot maintained by the edge agent in its local memory. To ensure real-time performance, the edge agent synchronizes the underlying device state at millisecond-level intervals. The gateway extracts the corresponding physical state vector from the memory snapshot, significantly reducing verification latency.

[0086] S106. If the session identifier is valid, the control command to be executed in the data packet is consistent with the command code in the single valid authorization credential, and the current physical state vector meets the preconditions of the target device state, the write channel for the control command to be executed is temporarily opened.

[0087] Verifying the validity of the session identifier means checking whether the Session ID is within its validity period and has not been cancelled. Command consistency verification means comparing the plaintext transmitted command with the encrypted command hash contained in the credential to prevent man-in-the-middle tampering. State precondition satisfaction means applying the real-time physical state collected in step S105 to the logical rules determined in S103 for calculation, confirming the result as true. These three conditions constitute an AND logical relationship. Temporarily opening a write channel means the gateway logically unblocks a specific command, establishing a short-term path allowing data to flow to the underlying device. This channel is typically a logical whitelist or a dynamic insertion of firewall rules.

[0088] To achieve the aforementioned multi-factor authentication and channel opening, the system can employ software-defined boundary technology based on logic gate control. An internal security verification module runs within the gateway. This module sequentially executes the following steps: calling the authentication service to verify the SessionID; decrypting the credential using a pre-set public key and comparing the decrypted instruction code with the received instruction; and substituting real-time status values ​​into a precondition expression for calculation. When all three Boolean values ​​are true, the gateway modifies its internal routing table or firewall rules, adding a rule that allows a specific source IP to send a specific length of data packet to a specific target PLC port, and setting a handle for this rule for subsequent closure.

[0089] Another implementation is based on an internal interlocking mechanism for proxy forwarding. The gateway, acting as an application-layer proxy, defaults to a state of "discarding all write requests." When a request is received, the gateway performs the three verification steps mentioned above in memory. After successful verification, the gateway does not modify the underlying network rules but instead activates an internal forwarding thread. This thread is authorized to encapsulate control instructions temporarily stored in the memory buffer into industrial protocol messages. At this point, the gateway is actually initiating a connection to the device on behalf of the user, rather than directly allowing the user to connect to the device. In this approach, channel opening is manifested as the state transitions of the proxy service's internal state machine.

[0090] S107. Transmit the control command to be executed to the target device for execution, and immediately close the write channel after the control command to be executed is transmitted;

[0091] Pass-through means that the gateway forwards the instruction to the target device unchanged, without modifying its content, format, or logic, ensuring accurate transmission of control intent. Target device execution means that the PLC or actuator changes its register state or performs a physical action after receiving the instruction. Immediately closing the write channel means that the system quickly revokes the temporary permission established in S106 and restores the default write-denied state the instant the instruction is sent. This mechanism is called the "atomic-level write window," designed to minimize the time the attack surface is exposed, maintaining it only within the milliseconds required for instruction transmission, preventing malicious programs from using the channel for subsequent illegal operations after instruction execution.

[0092] To achieve transparent command transmission and immediate channel closure, the system can employ an implementation based on synchronous blocking I / O and a callback mechanism. After successful verification, the gateway calls the underlying Socket interface to establish a connection with the target device, writing the command binary stream to the Socket output buffer. Immediately after the program executes the write operation, the `flush` function is called to ensure data transmission, followed by the execution of the `close` function or a function to reset firewall rules. The entire process is executed within a protected atomic code block or critical section, ensuring that no other operations are inserted between the write and close operations.

[0093] Another implementation is based on an event-driven asynchronous message queue mechanism. The gateway places the instructions to be executed into a high-priority send queue. A dedicated send worker thread retrieves instructions from the queue and sends them to the device via the industrial bus driver. This driver is configured with a "send complete" event listener. Once the underlying hardware confirms that the data frame has been sent, the driver triggers the event, and the callback function immediately executes the "channel lock" logic, resetting the gateway's state machine to read-only. This approach can handle high-concurrency instruction streams, ensuring that the channel is precisely closed after each instruction is sent.

[0094] S108. Cancel a single valid authorization certificate.

[0095] Deregistration refers to marking the previously generated authorization credential used for this operation as invalid, preventing its reuse. This step is the final link in the entire security loop, designed to ensure the one-time nature of the credential. Even if an attacker sniffs out the credential on the network, or an insider attempts to submit the same request repeatedly, the system will directly reject the request in subsequent verification stages because the credential has been deregistered. Deregistration operations typically involve updating the database state, clearing the cache, or adding the credential ID to a blacklist; the atomicity and data consistency of this operation must be guaranteed.

[0096] To implement credential cancellation, the system can employ a mechanism based on an in-memory database blacklist. Since credentials typically have a natural expiration time, the system does not need to permanently store all used credentials. When a credential is successfully used, the system extracts its unique identifier, stores it in a blacklist set of a caching system such as Redis, and sets the record's lifetime to the credential's original remaining validity period. During the verification process, the system first checks if the credential is in the blacklist. Once blacklisted, any request carrying that credential will be immediately rejected.

[0097] Another implementation method is based on a database status bit update mechanism. If the system uses database persistent storage for credential records, each credential record has a "status" field. In step S108, the system executes an SQL update statement to update the status field of the corresponding credential ID from "pending" to "used," and records the usage time. Subsequent verification logic, when querying the database, determines that the credential is invalid if the status is found to be "used." This method facilitates auditing and traceability, but its performance is slightly lower than the in-memory blacklist method.

[0098] In the above embodiments, by configuring initial read-only monitoring mode permissions by default after user login verification, and combining this with standard work flow diagrams based on work orders for job management, the system can decompose complex operation processes into atomic instructions with clear preconditions. The system collects the physical status of the equipment in real time and compares it with the preconditions of the operation nodes to accurately locate the target operation node that is currently allowed to be executed. For each specific atomic instruction, the system dynamically generates a single-use valid authorization credential and ensures the integrity of the scenario when the instruction is executed through multiple verifications at the gateway layer. By temporarily opening the write channel and immediately closing it after the instruction transmission is completed, the time window for the industrial control system to be exposed to high-privilege operation states is reduced. This reduces the risk of interference with normal industrial production due to unauthorized use of accounts by others or unintentional touches by internal personnel at unnecessary times.

[0099] In the above embodiments, the system determines executable operation nodes by collecting equipment status in real time and comparing it with the preconditions of the operation nodes. However, in industrial settings, equipment status may change rapidly, and relying solely on static status collection may not accurately reflect the actual state at the moment of instruction execution. To improve the system's adaptability to dynamic scenarios, the following section combines... Figure 2 This application describes another unified identity authentication and authorization method in an industrial network environment:

[0100] Please see Figure 2 This is another flowchart illustrating a unified identity authentication and authorization method in an industrial network environment, as described in this application.

[0101] S201. Calculate the current state change rate of the target device based on the historical time series data of the first physical state vector;

[0102] Historical time-series data refers to the set of first physical state vectors, precisely timestamped and continuously collected and stored by the system within a preset time window. This data set reflects the evolution trajectory of the target equipment's physical parameters over a recent period, and the storage structure typically employs a time-series database or a circular buffer. The rate of state change refers to the speed and direction of change of each component in the physical state vector over time, mathematically represented as the first derivative of the physical parameter with respect to time. For example, for temperature parameters, the rate represents the speed of heating or cooling; for pressure parameters, the rate represents the trend of pressurization or depressurization. By analyzing historical data, the system can not only obtain the current instantaneous values ​​but also capture the trend characteristics of the system's dynamic changes. This step is fundamental to predictive verification, aiming to address the problem that static detection cannot cope with the highly dynamic changes in industrial environments.

[0103] To calculate the rate of state change, the system can employ numerical differentiation techniques based on the finite difference method. Specifically, the system extracts the physical state vectors and their corresponding timestamps from the memory database at the two or more most recent sampling times. The system calculates the state value difference and time difference between adjacent sampling points, and divides the state difference by the time difference to obtain the instantaneous rate of change. To smooth sampling noise, the system typically selects the N most recent sampling points and calculates a weighted average of the multiple difference values ​​as the current rate of state change.

[0104] Another approach is a polynomial fitting technique based on the least squares method. The system selects M historical state data points from the current moment and a past period to construct a low-order polynomial model (such as a linear or quadratic model) over time. The system uses the least squares algorithm to solve for the coefficients of this polynomial, minimizing the sum of squared errors between the fitted curve and the actual data points. Once the analytical expression of the fitted curve is determined, the system directly differentiates this expression at the current moment; the calculated derivative value is the high-precision rate of state change. This method effectively suppresses random fluctuations in sensor data, providing a more accurate trend estimate.

[0105] S202. Based on the first physical state vector, the state change rate, and the preset instruction transmission delay, calculate the estimated state value of the target device at the instruction execution time.

[0106] The system calculates the estimated state value of the target device at the time of command execution based on the first physical state vector, the rate of state change, and the preset command transmission delay. This calculation is performed using the following formula:

[0107]

[0108] in, To predict the state value, This represents the value of the first physical state vector. The rate of change of state. To preset the command transmission delay, It is the changing acceleration.

[0109] The preset command transmission delay refers to the theoretical or statistically average time required from the moment the system issues a control command, through network transmission, gateway processing, protocol conversion, until the target device's actuator actually performs its action. This is a comprehensive time parameter encompassing both communication and processing delays. Acceleration of change refers to the rate of change of state with time, i.e., the second derivative of the physical parameter with respect to time; it reflects the accelerating or decelerating trend of the device's state change. The estimated state value refers to the physical state that the target device should exhibit at a specific future moment (i.e., the command execution moment), deduced by the system based on current kinematic characteristics. The system utilizes kinematic equations from physics to extend discrete sampling points into continuous time functions, thereby bridging the time gap between decision-making and execution.

[0110] To calculate the predicted state value, the system employs direct numerical computation techniques based on the floating-point unit (FPU). In the arithmetic logic unit of the central processing unit, the system loads a first physical state vector as the initial displacement, the state change rate as the initial velocity, the change acceleration as the acceleration parameter, and a preset instruction transmission delay as the time variable. Based on the quadratic polynomial formula provided in the embodiment, the system sequentially performs multiplication and accumulation operations using multipliers and adders. Specifically, the system first calculates the product of the rate and the delay, then calculates the product of half the square of the delay and the acceleration, and finally adds these two increments to the current state value to obtain the final predicted result.

[0111] Another implementation approach is based on vector parallel computing technology using a digital signal processor (DSP). When the first physical state vector contains parameters in multiple dimensions (such as temperature, pressure, and flow rate simultaneously), the system utilizes the DSP's Single Instruction Multiple Data (SIMD) architecture to map the above formula into vector instructions. The system loads all dimension state values, rates, and accelerations into wide-bit registers at once and executes polynomial operations in parallel. This approach can significantly reduce computation clock cycles, especially in high-frequency control scenarios, ensuring the real-time performance of predictive calculations and avoiding new latency errors introduced due to excessive computation time.

[0112] S203. Compare the estimated state value with the preconditions of the equipment state corresponding to the target operation node;

[0113] Comparison refers to a logical judgment process aimed at verifying whether the future state of the equipment remains within the safe operating range. The preconditions for the equipment state have been resolved into a set of logical rules or numerical ranges in previous steps (e.g., "temperature < 100℃" or "valve opening >= 50%"). The system no longer uses the current sampled value for judgment, but instead uses the estimated state value derived in S202 as input. The core logic of this operation lies in "pre-verification," that is, the system assumes that if the current trend continues, the equipment state will exceed the safety boundary when the command arrives. If the estimated state value falls within the valid range defined by the preconditions, the comparison is considered successful; otherwise, it is considered a failure. This is an application of model-based feedforward control in the field of safety authentication.

[0114] To compare the estimated state value with the preconditions, the system can employ a range query technique based on an interval tree. If the preconditions represent a continuous numerical range, the system constructs an index structure containing all allowed intervals. The system uses the estimated state value as the query key and searches within the interval tree. If the query key falls within any allowed interval node, or satisfies the inequality constraints, the algorithm returns a Boolean truth value. For multidimensional state vectors, the system can use a multidimensional spatial index structure (such as an R-tree or kd-tree) to determine whether the estimated state point lies inside a high-dimensional safe hypercube or polyhedron.

[0115] Another implementation approach is based on Complex Event Processing (CEP) technology using a rule engine. The system compiles the device state preconditions into a pattern matching object executable by the rule engine. The system encapsulates the estimated state value as a "predicted event" object and injects it into the rule engine's working memory. The rule engine then uses the Rete algorithm or similar efficient matching algorithms to automatically evaluate whether the event satisfies predefined constraints. This approach supports complex logical combinations (such as "temperature prediction > X and pressure prediction < Y") and can handle non-linear business rules, offering high flexibility and scalability.

[0116] S204. Only when the estimated state value meets the device state prerequisites of the target operation node, perform the step of combining the instruction code of the unique atomic instruction to be executed, the identification information of the target device state prerequisites, and the identifier of the identity session.

[0117] If the comparison result in S203 is false, the process will terminate here, and the system will not generate subsequent authorization credentials or send any instructions to the gateway. The combination step is technically consistent with step S104 in the aforementioned embodiment, namely, concatenating and encrypting key information. The innovation of this step lies in strongly binding the triggering time of credential generation to the dynamic prediction result. Only when the system is certain that the device state is secure at a future execution time will a "pass" be issued. This avoids invalid or dangerous instructions being encapsulated and transmitted, blocking potential risks at the source.

[0118] To achieve conditional triggering and data combination, the system can employ synchronous control flow technology based on transaction scripts. In the main logic thread of the application, the system sets up a conditional branch statement (If-Then structure). When the comparison function returns True, the program enters the Then block, sequentially calling the serialization function to convert the instruction code, precondition ID, and session ID into a byte stream, and then calling the encryption library interface to generate credentials. If the return value is False, the program enters the Else block, throws a "predicted state verification failed" exception, logs the error, and terminates the current transaction.

[0119] Another implementation approach is based on event-driven architecture and asynchronous message processing. The system defines an internal "predictive verification passed" event. Once the comparison logic of S203 confirms that the conditions are met, it publishes this event to the system's internal message bus. The credential generation service, as a subscriber to this event, is triggered upon receiving the event. The credential generation service extracts instructions and session information from the event payload and performs combination and signature operations. This decoupled design allows the system to flexibly handle high-concurrency requests and allows for the insertion of additional audit or monitoring hooks into the event processing chain without affecting the main flow's logical structure.

[0120] In the above embodiments, by calculating the current rate of change of the device's state and combining it with the physical state vector and the preset command transmission delay, the system can predict the device's state value at the time of command execution. The predicted state value is compared in advance with the preconditions of the target operation node, avoiding the lag problem that may arise from relying solely on static state judgment. This state prediction-based advance verification mechanism improves the system's adaptability to dynamically changing scenarios, reduces the authorization timeliness problem caused by rapid changes in device state, and makes operation authorization decisions more in line with the real-time requirements of industrial control systems. This dynamic prediction method also improves the system's control accuracy in high-speed state change scenarios and reduces the impact of state deviation between the command execution time and the state acquisition time.

[0121] In the above embodiments, the system verifies in advance whether the device state at the time of instruction execution meets the operating conditions through a state prediction mechanism. However, focusing solely on state verification before instruction execution is insufficient; it is also necessary to verify the effect after instruction execution to ensure that the operation indeed achieves the expected goal. Therefore, the following section will discuss this further. Figure 3 This application describes yet another unified identity authentication and authorization method in an industrial network environment:

[0122] Please see Figure 3 This is another flowchart illustrating a unified identity authentication and authorization method in an industrial network environment according to an embodiment of this application.

[0123] S301. Acquire the second physical state vector of the target device after executing the control command to be executed;

[0124] The second physical state vector refers to a set of real-time data reflecting the current physical properties of the device, acquired by the system from the sensor array after the control command has been executed by the actuator of the target device (such as a motor, valve, heater, etc.). This vector maintains the same data dimension as the first physical state vector before command execution, but the timestamps are different; it represents the result state after the command's action. The control command to be executed is now considered executed, and its execution process may involve triggering physical actions, writing parameters, or switching operating modes. The data acquisition operation is not performed immediately upon the issuance of the command, but must follow strict timing logic, typically involving listening to the command completion signal (ACK) or waiting for a preset action stabilization time. Through this step, the system obtains real feedback from the physical world, providing a data foundation for subsequent closed-loop verification.

[0125] To acquire the second physical state vector, the system can employ an interrupt-triggered acquisition technique based on instruction completion. Specifically, the system maintains a communication connection with the underlying industrial control network (such as a PLC or SCADA system). When the underlying controller completes the drive of the actuator, it reports an "execution complete" interrupt signal or status flag to the system. Upon receiving this signal, the system immediately sends a data read request to the associated sensor nodes. The system reads multi-dimensional data such as temperature, pressure, and rotational speed in parallel using industrial bus protocols (such as Modbus TCP or OPC UA), and encapsulates these discrete analog or digital quantities into a unified data structure, namely the second physical state vector. During this process, the system also records the precise timestamp of the acquisition moment to ensure the timeliness and traceability of the data.

[0126] Another implementation method is a time-window-based delayed polling acquisition technique. Considering the inertia of certain physical processes (such as heating and pressurization), the device state will not immediately reach steady state after command execution. After issuing a control command, the system starts a preset delay timer based on that command type. When the timer reaches a preset stabilization time threshold, the system actively initiates a polling operation, continuously reading sensor data from multiple time points. The system filters this continuous data (e.g., removing extreme values ​​and averaging) to eliminate the influence of transient fluctuations, ultimately generating a second physical state vector representing the steady-state result. This method is particularly suitable for large inertial systems, avoiding verification misjudgments caused by premature acquisition.

[0127] S302. Obtain the expected post-operation state conditions of the target operation node in the standard operation flowchart;

[0128] A Standard Operating Procedure (SOP) Graph is a predefined directed graph data structure describing an industrial production process, where nodes represent specific operational steps and edges represent the execution order. The target operation node is the specific node that the current session is executing or has just completed. Post-operation expectation conditions refer to the physical criteria set for that operation node during the SOP definition phase, signifying the successful completion of that step. These conditions are typically represented as a set of logical rules, numerical ranges, or specific Boolean states (e.g., "Temperature > 80℃ and valve status = closed"). The operation retrieval process is the process by which the system reads these verification rules from a static process definition database or a process instance object in memory. This step establishes the standard for "success" and serves as a benchmark for judging the effectiveness of instruction execution.

[0129] To obtain the expected post-processing conditions, the system can employ graph database-based relational query technology. The system's backend storage uses a graph database (such as Neo4j) or a relational database to persist the standard job flowchart. Each node in the database has a unique identifier (Node ID) and is associated with an attribute field (JSON or XML format) that stores a verification rule. Based on the job progress recorded in the current identity session, the system locates the current target operation node ID, then initiates a query request to the database to extract the expected post-processing condition field corresponding to that node. The system deserializes the extracted rule string into a computable logical object or expression tree in memory for use in subsequent steps.

[0130] Another implementation is based on direct access technology using a memory object model. During system startup or session initialization, the entire standard operation flowchart is loaded and instantiated as a network of objects in server memory. Each node object contains a member variable or method called "PostConditions". The system directly accesses the currently active node object through the session handle and calls its attribute retrieval methods to directly read the post-expected state conditions. This approach avoids frequent disk I / O or network database queries, significantly reducing system latency, and is particularly suitable for high-frequency operation scenarios with extremely high real-time requirements.

[0131] S303. Compare the second physical state vector with the subsequent expected state conditions;

[0132] The comparison refers to the process of logically matching the actual physical data (second physical state vector) collected in S301 with the theoretical standards (subsequent expected state conditions) obtained in S302. This is not just a simple numerical equality judgment; it usually involves multi-dimensional range verification, logical combination operations, and tolerance analysis. If all parameters in the second physical state vector fall within the allowable range specified by the subsequent expected state conditions, it is determined to be "satisfied"; conversely, if any key parameter exceeds the range, it is determined to be "unsatisfied". This step is the core decision-making link in the closed-loop control logic, directly determining whether the subsequent process continues or triggers an alarm.

[0133] To compare physical states with expected conditions, the system can employ pattern matching technology based on a rule engine. The system converts the subsequent expected state conditions into a rule file (DRL) recognizable by the rule engine (such as Drools). The system inserts the second physical state vector as a "fact" object into the rule engine's working memory. The rule engine automatically executes the Rete algorithm to match the facts with the rules. If a match is successful, the engine returns True; otherwise, it returns False. This approach supports extremely complex logical judgments, such as handling nonlinear constraints and multi-parameter coupled constraints (e.g., "the ratio of pressure to temperature must be less than a certain constant"), and rule modifications do not require recompiling the system code.

[0134] Another approach is a threshold-based determination technique using vector distance calculation. When the state condition is represented as a target point or region in a multi-dimensional space, the system calculates the Euclidean or Mahalanobis distance between the second physical state vector and the target state vector. The system presets an allowable error radius (Epsilon). If the calculated distance is less than this error radius, the actual state is considered sufficiently close to the expected state, and the condition is satisfied. This method is particularly suitable for continuously changing analog control systems, as it can quantify "similarity" mathematically and flexibly control the rigor of verification by adjusting the error radius.

[0135] S304. If the second physical state vector satisfies the subsequent expected state condition, then update the current job pointer of the identity session in the standard job flowchart to the next operation node.

[0136] An identity session refers to the continuous interaction context established between the current operator or control program and the system. It stores the user's permissions, login time, and current state. The current job pointer is a logical cursor that points to the node currently being processed in the standard job flowchart. Updating to the next operation node signifies that the system has confirmed the current step has been successfully completed, allowing the process to proceed. This is a state machine state transition process, marking the switch from the "current task executing" state to the "next task waiting" state. This operation not only changes the process progress record but also typically triggers the initialization work of the next node, such as loading new preconditions or prompting the operator.

[0137] To update the job pointer, the system can employ a state transition technique based on database transactions. The system initiates a database transaction, first inserting a "step completed" record into the job log table, including completion time, execution result summary, and other information. Next, the system queries the standard job flowchart to find the direct successor node ID of the current node. The system updates the corresponding "CurrentNodeID" field in the identity session table to the successor node ID and commits the transaction. Through the atomicity of database transactions, it ensures that the log recording and state update either succeed simultaneously or fail simultaneously, preventing data inconsistencies (e.g., the log shows completion but the pointer hasn't moved).

[0138] Another implementation approach is based on a token bucket mechanism for permission transfer. The system maintains a distributed token store (such as Redis). Each operation node corresponds to a specific access token. When verification is successful, the system destroys the old token corresponding to the current node and generates and issues a new token for the next node to the identity session. The identity session object itself does not directly store pointers, but implicitly defines the current process stage through the type of token it holds. This approach is beneficial for building a distributed microservice architecture, where each service node only needs to verify the validity of the token to know the process progress, without frequently querying a centralized state database.

[0139] S305. If the second physical state vector does not satisfy the subsequent expected state condition, then generate a process lock signal.

[0140] Failure to meet the conditions means that the control command execution failed, or that although the command was executed, the equipment did not reach the expected physical state (e.g., valve jamming, heating element failure). A process lockout signal is a high-priority system interruption flag or control message designed to immediately freeze the current standard operating procedure to prevent error accumulation or the escalation of safety incidents. This signal not only affects the current identity session but may also trigger alarm systems. A generated signal is a proactive exception handling mechanism that switches the system's operating mode from "normal flow" to "fault handling" or "safety suspension" mode.

[0141] To generate process lock signals, the system can employ a publish-subscribe message broadcasting technique. When the comparison logic returns False, the system constructs an exception event object containing an error code, current node information, deviation details, and session ID. This object is then published to a dedicated alert topic in a message middleware (such as RabbitMQ or Kafka). Multiple components subscribed to this topic (such as the process controller, HMI alert interface, and log auditing service) will simultaneously receive the lock signal. Upon receiving the signal, the process controller marks the session state in memory as "Locked." This decoupling ensures that the lock signal instantly reaches all relevant parts of the system, achieving a synchronized response across the entire system.

[0142] Another implementation method is based on shared memory flag toggling. In real-time control systems, a global state table is maintained in the shared memory region. When a condition is not met, the system directly modifies the state flag corresponding to the current session from "Running" to "Suspended" or "Error_Locked" via an atomic CAS operation. Any subsequent operation request that reads this memory flag will immediately detect the locked state. This method has extremely low latency and is suitable for hard real-time industrial control scenarios with extremely high requirements for safety response speed, ensuring that the process freeze is completed within milliseconds.

[0143] S306. In response to a process lock signal, prevent identity sessions from generating single-use authorization credentials for the next operation node in the standard operation flowchart.

[0144] Denying generation is a mandatory access control measure and a direct consequence of process locking signals. A one-time token is the unique digital key that drives industrial equipment to perform specific actions. By intercepting at this level, the system fundamentally cuts off the possibility of erroneous processes continuing. No matter how the operator attempts to click "Next" or send instructions, the gateway or underlying controller will refuse execution due to the lack of valid cryptographic credentials. This reflects the "fail-safe" design principle, where the default behavior is to prohibit operation rather than allow it when the system state is uncertain or abnormal.

[0145] To prevent the generation of authorization credentials, the system can employ a state-based interception filter. An interceptor is deployed at the entry point of the Token Service. When a request to generate the next node's credential is received, the interceptor first queries the current identity session's state storage. If the query results indicate a "process lock signal" or the session state is "Locked," the interceptor directly throws an "AccessDeniedException" and returns an HTTP 403 Forbidden response, terminating the credential generation process. This check logic is hard-coded into the core path of credential issuance and cannot be bypassed.

[0146] Another implementation approach is based on immediate revocation technology using a blacklist. If the system employs a pre-issued credential mechanism, when the S305 generates a locking signal, the system immediately adds the current session ID and the credential ID of the next node (which may have already been pre-generated) to a global cache blacklist (such as the Redis Blacklist), setting a relatively long expiration time. The gateway will check this blacklist before verifying any credential. Even if the credential's cryptographic signature is valid, if it appears on the blacklist, the gateway will refuse to allow it. This approach ensures that the locking signal takes effect immediately, even in a distributed environment, preventing any potential violations.

[0147] In the above embodiments, by collecting the physical state of the equipment after instruction execution and comparing it with the expected state, the system establishes a closed-loop instruction execution effect verification mechanism. This mechanism verifies the actual execution effect of control instructions through real-time status feedback, improving the system's ability to identify abnormal operating conditions. When the execution result meets expectations, the system automatically advances the work process, pointing the work pointer to the next operation node, improving the continuity of work execution. This work advancement mechanism based on physical feedback reduces the risk of human judgment errors and improves the accuracy of work execution. By closely linking changes in physical state with standard operating procedures, the system enhances its ability to perceive the actual operating state of the equipment and improves the operational stability of the industrial control system.

[0148] The system in the embodiments of this invention is described below from the perspective of hardware processing. Please refer to [link / reference needed]. Figure 4 This is a schematic diagram of the physical device structure of a unified identity authentication and authorization system in an industrial network environment provided in an embodiment of this application.

[0149] It should be noted that, Figure 4 The structure of the system shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of the present invention.

[0150] like Figure 4 As shown, the system includes a Central Processing Unit (CPU) 401, which can perform various appropriate actions and processes based on a program stored in Read-Only Memory (ROM) 402 or a program loaded from storage portion 408 into Random Access Memory (RAM) 403, such as executing the methods described in the above embodiments. The RAM 403 also stores various programs and data required for system operation. The CPU 401, ROM 402, and RAM 403 are interconnected via a bus 404. An Input / Output (I / O) interface 405 is also connected to the bus 404.

[0151] The following components are connected to I / O interface 405: input section 406 including a camera, infrared sensor, etc.; output section 407 including a liquid crystal display (LCD) and speakers, etc.; storage section 408 including a hard disk, etc.; and communication section 409 including a network interface card such as a LAN (Local Area Network) card and a modem, etc. Communication section 409 performs communication processing via a network such as the Internet. Drive 410 is also connected to I / O interface 405 as needed. Removable media 411, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 410 as needed so that computer programs read from it can be installed into storage section 408 as needed.

[0152] In particular, according to embodiments of the present invention, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing computer programs for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 409, and / or installed from removable medium 411. When the computer program is executed by central processing unit (CPU) 401, it performs the various functions defined in the present invention.

[0153] It should be noted that the computer-readable medium shown in the embodiments of the present invention can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In the present invention, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present invention, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, wherein a computer-readable computer program is carried. The transmitted data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof.

[0154] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0155] In another aspect, the present invention also provides a computer-readable storage medium, which may be included in the system described in the above embodiments; or it may exist independently and not assembled into the system. The storage medium carries one or more computer programs that, when executed by a processor of a system, cause the system to implement the methods provided in the above embodiments.

[0156] The above-described embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit it. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.

[0157] As used in the above embodiments, depending on the context, the term "when..." can be interpreted as "if...", "after...", "in response to determining...", or "in response to detecting...". Similarly, depending on the context, the phrase "when determining..." or "if (the stated condition or event) is interpreted as "if determining...", "in response to determining...", "when (the stated condition or event) is detected", or "in response to detecting (the stated condition or event)".

[0158] In the above embodiments, implementation can be achieved entirely or partially through software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented entirely or partially in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid-state drive), etc.

[0159] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. This program can be stored in a computer-readable storage medium, and when executed, it can include the processes described in the above method embodiments. The aforementioned storage medium includes various media capable of storing program code, such as ROM or random access memory (RAM), magnetic disks, or optical disks.

Claims

1. A unified identity authentication and authorization method in an industrial network environment, characterized in that, include: After confirming that the user's login request has been verified, an identity session is established with the user's terminal, and the initial permissions of the identity session are configured to read-only monitoring mode. The system receives a job request initiated by a user based on a specific work order and retrieves a standard job flowchart associated with the specific work order from a preset database. The standard job flowchart is a directed graph consisting of several sequentially connected operation nodes, and each operation node has a preset corresponding device status prerequisite. The first physical state vector of the target device is collected, and the first physical state vector is compared with the device state preconditions of the operation node in the standard operation flowchart to determine the target operation node. The target operation node contains a unique atomic instruction to be executed and the corresponding target device state preconditions. The instruction code of the unique atomic instruction to be executed, the identification information of the target device state preconditions, and the identifier of the identity session are combined to generate a single valid authorization credential through an encryption algorithm. When the industrial control gateway receives the data packet submitted by the user terminal and parses out the control command to be executed and the single valid authorization credential, it collects the current physical state vector of the target device. If the session identifier is verified to be valid, the control instruction to be executed in the data packet is consistent with the instruction code in the single valid authorization credential, and the current physical state vector satisfies the target device state prerequisite, the write channel for the control instruction to be executed is temporarily opened. The control command to be executed is transmitted to the target device for execution, and the write channel is closed immediately after the control command to be executed is transmitted. Cancel the single-use valid authorization credential.

2. The method according to claim 1, characterized in that, The step of comparing the first physical state vector with the equipment state prerequisites of the operation node in the standard operating procedure diagram to determine the target operation node specifically includes: Construct a logical interlock topology diagram of the target device and its associated devices; Based on the aforementioned logical interlock topology diagram, auxiliary status data of the associated devices are collected; The first physical state vector is correlated with the auxiliary state data to generate a composite scene state set; Traverse the standard operation flowchart and parse the preset scenario integrity constraints of each operation node. The preset scenario integrity constraints are that the target device itself meets the requirements and the auxiliary status of the associated device meets the interlocking logic. Logical operations are performed to match the composite scene state set with the preset scene integrity constraints of each operation node. The operation node that satisfies all the aforementioned interlocking logic is determined as the target operation node.

3. The method according to claim 1, characterized in that, The step of comparing the first physical state vector with the equipment state prerequisites of the operation node in the standard operating procedure diagram to determine the target operation node specifically includes: Retrieve the status change log of the target device within a preset historical time window, and identify the historical final state node of the target device at the end of the last operation; Based on the standard operation flowchart, retrieve all legal successor paths starting from the historical final state node to construct the allowed state transition space at the current moment; Functional semantic mapping is performed on the first physical state vector to convert discrete sensor values ​​into corresponding current functional state descriptions; If it is determined that the current functional state description falls within the allowed state transition space, the node in the allowed state transition space corresponding to the current functional state description is determined as the target operation node.

4. The method according to claim 1, characterized in that, After comparing the first physical state vector with the equipment state prerequisites of the operation node in the standard operating procedure diagram to determine the target operation node, the method further includes: Based on the historical time-series data of the first physical state vector, the current state change rate of the target device is calculated; Based on the first physical state vector, the state change rate, and the preset instruction transmission delay, the estimated state value of the target device at the instruction execution time is calculated. The estimated state value is compared with the device state prerequisites corresponding to the target operation node; The step of combining the instruction code of the unique atomic instruction to be executed, the identification information of the target device state prerequisite, and the identifier of the identity session is executed only when the estimated state value meets the device state prerequisite of the target operation node.

5. The method according to claim 4, characterized in that, The step of calculating the estimated state value of the target device at the time of instruction execution based on the first physical state vector, the state change rate, and the preset instruction transmission delay is specifically calculated using the following formula: in, The estimated state value, The value of the first physical state vector. The rate of change of the state. The preset instruction transmission delay, It represents the changing acceleration.

6. The method according to claim 1, characterized in that, After canceling the single-use valid authorization credential, the method further includes: Collect the second physical state vector of the target device after executing the control command to be executed; Obtain the post-expected state conditions of the target operation node in the standard operation flowchart; Compare the second physical state vector with the subsequent expected state conditions; If the second physical state vector satisfies the post-expected state condition, then the current job pointer of the identity session in the standard job flowchart is updated to the next operation node.

7. The method according to claim 6, characterized in that, After comparing the second physical state vector with the subsequent expected state condition, the method further includes: If the second physical state vector does not satisfy the post-expected state condition, a process lock signal is generated; In response to the process lock signal, the identity session is prohibited from generating a single valid authorization credential for the next operation node in the standard operation flowchart.

8. A unified identity authentication and authorization system in an industrial network environment, characterized in that, The system includes: One or more processors and a memory; the memory is coupled to the one or more processors, the memory being used to store computer program code, the computer program code including computer instructions, the one or more processors invoking the computer instructions to cause the system to perform the method as described in any one of claims 1-7.

9. A computer-readable storage medium comprising instructions, characterized in that, When the instructions are executed on the system, the system performs the method as described in any one of claims 1-7.

10. A computer program product, characterized in that, When the computer program product is run on the system, the system performs the method as described in any one of claims 1-7.

Images