A control method and system of industrial internet of things

By performing feature analysis and encryption on real-time operating data in the industrial IoT gateway, and classifying security levels and transmission priorities, the problem of low data transmission security and efficiency in existing technologies is solved. This enables priority transmission and encryption of critical data, thereby improving the reliability of remote control of industrial equipment and system security.

CN122268639APending Publication Date: 2026-06-23HEBEI HONGKUN ENG CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HEBEI HONGKUN ENG CO LTD
Filing Date
2026-03-31
Publication Date
2026-06-23

Smart Images

  • Figure CN122268639A_ABST
    Figure CN122268639A_ABST
Patent Text Reader

Abstract

The application provides an industrial internet of things control method and system, and belongs to the technical field of industrial internet of things, and the method comprises the following steps: obtaining real-time operation data of an industrial device and performing feature analysis to determine the security level and transmission priority of the industrial device; according to the security level, an encryption strategy is matched to encrypt the real-time operation data to generate an encrypted data packet; the encrypted data packet is stored in a corresponding sending queue according to the transmission priority and is sent to a remote platform; a control instruction returned by the remote platform and carrying a timestamp and a digital signature is received, integrity verification and identity authentication are performed on the control instruction, and a control parameter is obtained by parsing the control instruction after the control instruction passes the verification; a driving signal is generated according to the control parameter and is sent to the industrial device to control the industrial device to perform corresponding actions. The industrial internet of things control method and system can improve the reliability of remote control of the industrial device and the security of the overall system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of industrial Internet of Things (IoT) technology, and more specifically, relates to a control method and system for industrial IoT. Background Technology

[0002] With the widespread application of Industrial Internet of Things (IIoT) technology, IIoT gateways, as key hubs connecting industrial equipment and remote platforms, undertake important functions such as data acquisition, processing, and control command forwarding. However, existing control methods often adopt a uniform processing mode during data interaction, lacking differentiated mechanisms based on data sensitivity and urgency. Furthermore, they struggle to effectively verify the integrity and authenticate control commands. This crude management approach leads to critical data not being prioritized for transmission and is prone to leakage. Illegal commands are also at risk of being executed, making the system unable to cope with complex industrial security needs and meet high-precision control requirements. Ultimately, data transmission security and efficiency cannot be guaranteed, resulting in low reliability of remote control of industrial equipment and low overall system security. Summary of the Invention

[0003] The purpose of this application is to provide a control method and system for the Industrial Internet of Things (IIoT), which can improve the reliability of remote control of industrial equipment and the security of the overall system, so as to ensure data transmission security and transmission efficiency.

[0004] To achieve the above objectives, the technical solutions provided in this application are as follows: Firstly, a control method for the Industrial Internet of Things (IIoT) is provided, applied to an IIoT gateway. The IIoT gateway is communicatively connected to industrial equipment and a remote platform, including: Acquire real-time operating data of industrial equipment, perform feature analysis on the real-time operating data, and determine the security level and transmission priority of the real-time operating data; Based on the security level, the corresponding encryption strategy is matched to encrypt the real-time running data and generate encrypted data packets. The encrypted data packets are stored in the corresponding sending queue according to the transmission priority and then sent to the remote platform through the communication network. Receive control commands returned by the remote platform. The control commands are returned by the remote platform after parsing the encrypted data packets and generating control policies, and carry timestamps and digital signatures associated with real-time running data. The control commands are subjected to integrity verification and authentication. If both integrity verification and authentication are successful, the control commands are parsed to obtain the control parameters. Drive signals are generated based on control parameters and sent to industrial equipment to control it to perform corresponding actions.

[0005] Secondly, an industrial Internet of Things (IIoT) control device is provided, applied to an IIoT gateway, which is communicatively connected to industrial equipment and a remote platform, including: The data analysis module is used to acquire real-time operating data of industrial equipment, perform feature analysis on the real-time operating data, and determine the security level and transmission priority of the real-time operating data. The encryption module is used to encrypt real-time running data and generate encrypted data packets by matching the corresponding encryption strategy according to the security level. The communication module is used to store encrypted data packets into the corresponding sending queue according to the transmission priority, and send them to the remote platform through the communication network; The receiving module is used to receive control commands returned by the remote platform. The control commands are returned by the remote platform after parsing the encrypted data packets and generating control policies, and carry timestamps and digital signatures associated with real-time running data. The verification module is used to perform integrity verification and identity authentication on the control commands. If both integrity verification and identity authentication are successful, the control commands are parsed to obtain the control parameters. The control module is used to generate drive signals based on control parameters and send them to industrial equipment to control it to perform corresponding actions.

[0006] Thirdly, embodiments of this application also provide an industrial Internet of Things (IoT) gateway, which includes a memory and a processor. The memory stores a computer program, and the processor executes the computer program to implement an industrial IoT control method provided by any possible implementation of the first aspect.

[0007] Fourthly, embodiments of this application also provide a computer-readable storage medium storing a computer program that, when executed by a processor, implements an industrial Internet of Things control method provided by any possible implementation of the first aspect.

[0008] The beneficial effects of the technical solution provided in this application are as follows: This application provides a control method and system for the Industrial Internet of Things (IIoT). Compared with related technologies, this application connects industrial equipment and a remote platform via an IIoT gateway. First, it acquires real-time operating data from the equipment and performs feature analysis to classify security levels and transmission priorities. This allows for targeted protection of critical data and ensures its priority transmission, preventing ordinary data from occupying critical transmission resources. Then, it generates encrypted data packets based on encryption strategies matched to the security levels, effectively preventing leakage and tampering during data transmission and improving data transmission security. Data packets are stored in a sending queue according to transmission priority, reducing latency in critical data transmission and improving transmission efficiency. Control commands with timestamps and digital signatures are received, and control parameters are parsed after integrity verification and identity authentication, preventing false and tampered commands and avoiding equipment misoperation. Finally, drive signals are generated based on the control parameters to control the equipment, achieving precise remote control. In summary, this application improves the reliability of remote control of industrial equipment and the overall system security while ensuring data transmission security and efficiency. Attached Figure Description

[0009] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments of this application will be briefly introduced below.

[0010] Figure 1 A flowchart illustrating a control method for an industrial Internet of Things (IoT) provided in this application embodiment; Figure 2 A structural block diagram of a control device for an industrial Internet of Things (IoT) provided in this application embodiment; Figure 3 This is a schematic block diagram of an industrial IoT gateway provided in an embodiment of this application. Detailed Implementation

[0011] The embodiments of this application are described below with reference to the accompanying drawings. It should be understood that the embodiments described below with reference to the accompanying drawings are exemplary descriptions for explaining the technical solutions of the embodiments of this application, and do not constitute a limitation on the technical solutions of the embodiments of this application.

[0012] Those skilled in the art will understand that, unless otherwise stated, the singular forms “a,” “an,” and “the” used herein may also include the plural forms. It should be further understood that the terms “comprising” and “including” as used in embodiments of this application mean that the corresponding feature can be implemented as the presented feature, information, data, step, operation, element, and / or component, but do not exclude implementation as other features, information, data, step, operation, element, component, and / or combinations thereof supported by the art. It should be understood that when we say that an element is “connected” or “coupled” to another element, the one element can be directly connected or coupled to the other element, or it can mean that the one element and the other element establish a connection relationship through an intermediate element. Furthermore, “connected” or “coupled” as used herein can include wireless connection or wireless coupling. The term “and / or” as used herein indicates at least one of the items defined by the term; for example, “A and / or B” can be implemented as “A,” or as “B,” or as “A and B.” When describing multiple (two or more) items, if the relationship between the multiple items is not explicitly defined, the multiple items can refer to one, several or all of the multiple items. For example, the description of "parameter A includes A1, A2, A3" can be implemented as parameter A includes A1 or A2 or A3, or it can be implemented as parameter A includes at least two of the three items A1, A2 and A3.

[0013] This application provides a control method for an industrial Internet of Things (IIoT) application, which is applied to an IIoT gateway. The IIoT gateway is communicatively connected to industrial equipment and a remote platform. This method can be executed by the IIoT gateway, such as... Figure 1 As shown, the method may include: S101: Acquire real-time operating data of industrial equipment, perform feature analysis on the real-time operating data, and determine the security level and transmission priority of the real-time operating data.

[0014] In this embodiment, the industrial IoT gateway is a pivotal device connecting industrial equipment and a remote platform. It performs data acquisition, processing, encryption, transmission, and control command forwarding and verification functions, acting as a communication bridge between devices and the platform in the industrial IoT system. Industrial equipment refers to various functional devices used in industrial production processes, including but not limited to CNC machine tools, intelligent sensors, or production line controllers. These devices can generate operating parameters in real time and receive drive signals to execute corresponding actions. The remote platform is a terminal management platform with data parsing, storage, and control strategy generation functions. It can receive encrypted data packets sent by the gateway, parse them, generate control commands, and feed them back to the gateway, enabling remote control of the industrial equipment.

[0015] Real-time operational data refers to various parameter data generated by industrial equipment during operation. This data can be acquired through the gateway's built-in data acquisition module, including but not limited to equipment speed, operating temperature, operating pressure, operating current, voltage, and equipment status codes, directly reflecting the equipment's current operating status. Feature analysis is the process of extracting, identifying, and judging real-time operational data. It identifies the importance, sensitivity, and urgency of the data, providing a basis for subsequent security level and transmission priority classification.

[0016] Security levels are categorized based on the sensitivity or importance of real-time operational data, and are used to match corresponding encryption strategies to ensure the secure transmission of data of varying importance. Transmission priority is categorized based on the urgency of real-time operational data, and is used to determine the order in which encrypted data packets are sent, ensuring that critical data is transmitted first.

[0017] In this embodiment, the gateway establishes stable communication with industrial equipment (such as RS485 or Ethernet connection) through its built-in data acquisition module, collecting various parameters generated during equipment operation (i.e., real-time operating data) in real time. The acquisition process ensures the real-time nature and accuracy of the data, avoiding data loss or delay. After acquisition, the real-time operating data is feature extracted and analyzed. Combined with preset judgment rules (such as whether the data involves equipment safety or is a critical process parameter), the importance, sensitivity, and urgency of the data are identified. Corresponding security levels (for matching encryption strategies) and transmission priorities (for determining the sending order) are then assigned, providing a clear basis for subsequent data encryption and transmission, ensuring that critical data is given priority protection and transmission.

[0018] S102: Based on the security level, match the corresponding encryption strategy to encrypt the real-time running data and generate encrypted data packets.

[0019] In this embodiment, the encryption strategy is based on the encryption rules and algorithms preset according to the data security level, which is used to encrypt real-time running data to prevent the data from being leaked, tampered with or stolen during transmission.

[0020] Encrypted data packets are data units formed by encrypting real-time running data. They contain encrypted core data, security level identifiers, and data digests, and can be transmitted securely through communication networks.

[0021] In this embodiment, the gateway pre-stores encryption policies (including encryption algorithms, encryption processes, and key management methods) corresponding to different security levels. After determining the security level of the real-time running data, the security processing module automatically matches the corresponding encryption policy, uses a preset encryption algorithm to encrypt the real-time running data, converts the directly readable real-time running data into encrypted data that cannot be directly interpreted, and adds auxiliary information such as security level identifiers and data digests, ultimately generating encrypted data packets.

[0022] S103: Store the encrypted data packet into the corresponding sending queue according to the transmission priority, and send it to the remote platform through the communication network.

[0023] In this embodiment, the sending queue is a storage queue in the gateway used to temporarily store encrypted data packets. It is set according to transmission priority to ensure that data packets are sent in an orderly manner according to priority.

[0024] In this embodiment, the gateway internally has sending queues categorized by transmission priority (such as high-priority queues and normal-priority queues). Each queue corresponds to a transmission priority and is used to temporarily store encrypted data packets of different priorities. After generating an encrypted data packet, the gateway stores it in the corresponding sending queue according to its transmission priority, following the principle of sending high-priority packets first, thus preventing high-priority data from being occupied by low-priority data. Subsequently, the gateway sends the encrypted data packets in the sending queue sequentially to the remote platform through a preset industrial-grade communication network, ensuring that high-priority encrypted data packets (such as device alarm data) are transmitted first, reducing the transmission delay of critical data, and improving the rationality and efficiency of data transmission.

[0025] S104: Receive control commands returned by the remote platform. The control commands are returned by the remote platform after parsing the encrypted data packets and generating control policies, and carry timestamps and digital signatures associated with real-time running data.

[0026] In this embodiment, the control command is a command generated by the remote platform after parsing the encrypted data packet and combining it with the equipment's operating status. It serves as the command carrier for remotely managing the equipment. The timestamp is time information associated with real-time operating data, recording the time of data generation and control command generation. This is used to prevent replay attacks and ensure the timeliness of the commands. The digital signature is a unique identifier generated by the remote platform using an encryption algorithm. It is bound to the control command and used to verify the sender's identity and the integrity of the command, preventing forgery or tampering.

[0027] In this embodiment, after receiving the encrypted data packet sent by the gateway, the remote platform first decrypts the encrypted data packet using the corresponding decryption algorithm to restore the original real-time operating data. Then, the remote platform analyzes and processes the restored real-time operating data, combining industrial production needs and equipment safety operation standards to generate a control strategy for the equipment (such as adjusting equipment speed, starting or stopping the equipment, or modifying process parameters), and converts the control strategy into control commands that can be recognized and executed by the gateway. To ensure the legality, integrity, and timeliness of the control commands, the remote platform adds a timestamp (precisely recording the command generation time) and a digital signature (a unique encrypted identifier for the remote platform) associated with the original real-time operating data when generating the control commands. The control commands are then returned to the gateway via the communication network. The gateway's communication module receives the control commands, completing the reverse closed loop of data upload and command feedback, preparing for subsequent equipment control.

[0028] S105: Perform integrity verification and authentication on the control command. If both integrity verification and authentication pass, parse the control command to obtain the control parameters.

[0029] In this embodiment, integrity verification is a process to check whether the control commands have been tampered with or lost during transmission, ensuring that the command content is consistent with the original content sent by the remote platform. Identity authentication is a process to verify the legitimacy of the control command sender (remote platform), preventing unauthorized entities from sending false control commands and ensuring equipment control security. Control parameters are specific parameters used to drive the operation of industrial equipment, parsed from the control commands, including equipment operating thresholds, action commands (such as start / stop, speed adjustment), or parameter adjustment values.

[0030] In this embodiment, after receiving the control command, the gateway performs dual verification of the control command by the security processing module to avoid receiving tampered, forged, or illegal control commands. On the one hand, through integrity verification, it verifies whether the control command has been tampered with or lost during transmission, ensuring that the command content is consistent with the original content sent by the remote platform. On the other hand, through identity authentication (such as public key signature verification), it verifies whether the sender of the control command is a legitimate remote platform, preventing unauthorized entities from sending false control commands. Only when both integrity verification and identity authentication pass will the gateway's main control module parse the control command and extract the specific parameters used to control the operation of the industrial equipment (i.e., control parameters) to prepare for subsequent driving of the industrial equipment. If either verification fails, the control command is directly discarded to avoid equipment malfunction and ensure equipment operation safety.

[0031] S106: Generate drive signals based on control parameters and send them to industrial equipment to control it to perform corresponding actions.

[0032] In this embodiment, the drive signal is an electrical signal (analog or digital signal) generated by the gateway based on the control parameters and recognized by the industrial equipment, used to drive the industrial equipment to perform corresponding operating actions.

[0033] In this embodiment, the gateway's output module receives the control parameters parsed by the main control module and generates drive signals that can be recognized and executed by the industrial equipment according to the specific requirements of the control parameters. After signal amplification and isolation, the drive signals are sent to the industrial equipment through the communication interface between the gateway and the industrial equipment. After receiving the drive signals, the industrial equipment executes the corresponding operating actions according to the signal instructions, ultimately completing the precise control of the industrial equipment by the remote platform.

[0034] As can be seen from the above, this embodiment connects industrial equipment and a remote platform via an industrial IoT gateway. First, it acquires real-time operating data from the equipment and performs feature analysis to classify security levels and transmission priorities. This allows for targeted protection of critical data and ensures its priority transmission, preventing ordinary data from consuming critical transmission resources. Then, it generates encrypted data packets based on encryption strategies matched to the security levels, effectively preventing leakage and tampering during data transmission and improving data transmission security. Data is then stored in a sending queue according to transmission priority, reducing latency in critical data transmission and improving transmission efficiency. Control commands with timestamps and digital signatures are received, and after integrity verification and identity authentication, the control parameters are parsed to prevent false and tampered commands, avoiding equipment misoperation. Finally, drive signals are generated based on the control parameters to control the equipment, achieving precise remote control. In summary, this embodiment improves the reliability of remote control of industrial equipment and the overall security of the system while ensuring data transmission security and efficiency.

[0035] In one embodiment of this application, feature analysis is performed on real-time running data to determine the security level and transmission priority of the real-time running data, including: Data tags are extracted from real-time operational data. These data tags include equipment status identifiers, alarm identifiers, and process parameter identifiers. If the data tag contains an alarm identifier, the security level of the real-time running data will be set to high security level, and the transmission priority will be set to the highest priority. If the data tag does not contain an alarm identifier, but contains a process parameter identifier and the rate of change of the parameter value corresponding to the process parameter identifier exceeds the preset process parameter change threshold, then the security level of the real-time running data will be set to medium security level, and the transmission priority will be set to medium priority. If the data tag does not contain alarm or process parameter tags, but contains a device status tag indicating that the device is in normal operation, then the security level of the real-time operating data will be set to low security level, and the transmission priority will be set to normal priority.

[0036] In this embodiment, data tag extraction can be performed using the KMP string matching algorithm, completed by the gateway's main control chip. Device status identifiers are preset string codes; for example, "RUN" indicates normal operation, "STOP" indicates the device is stopped, and "FAULT" indicates a device malfunction. Each identifier corresponds to a fixed string length and encoding format for easy and rapid identification. Alarm identifiers are codes generated when industrial equipment malfunctions; for example, "ALM-001" indicates an over-temperature alarm, "ALM-002" indicates an abnormal pressure alarm, and "ALM-003" indicates an excessive speed alarm. Alarm identifiers are generated in real-time by the industrial equipment and transmitted to the gateway. Process parameter identifiers are codes for key process parameters in industrial production; for example, "TEMP" indicates temperature, "PRESS" indicates pressure, "SPEED" indicates speed, and "CURRENT" indicates current. Each process parameter identifier corresponds to a unique process parameter type.

[0037] In this embodiment, the preset process parameter change thresholds are set according to different process parameter types. Specific values ​​can be determined through on-site industrial debugging. For example, the preset change threshold for temperature is set to 5℃ / min, for pressure to 0.1MPa / min, for rotational speed to 50r / min, and for current to 1A / min. Security levels are divided into high, medium, and low security levels, each corresponding to different encryption strategies. Transmission priorities are divided into highest, medium, and normal priorities, each corresponding to different transmission queues. The highest priority queue is used to transmit high-security-level data, the medium priority queue is used to transmit medium-security-level data, and the normal priority queue is used to transmit low-security-level data.

[0038] In this embodiment, the specific steps for data tag extraction and level determination are as follows: The first step is to receive the collected real-time operating data, preprocess the real-time operating data, and remove redundant and interfering data. The second step is to use the KMP algorithm to perform string matching on the preprocessed real-time operating data to extract equipment status identifiers, alarm identifiers, and process parameter identifiers. The third step is to determine whether the extracted tags contain alarm indicators. If they do, the security level is determined to be high and the transmission priority is the highest. The fourth step is to determine whether the process parameter identifier is included if the alarm identifier is not included. If it is included, the change rate of the parameter value corresponding to the process parameter identifier is calculated (change rate = (current parameter value - previous parameter value) / time interval, where the time interval is the data acquisition cycle, i.e., 0.01s). If the change rate exceeds the preset threshold, the security level is determined to be medium security level and the transmission priority is medium priority. Fifth step: If the alarm indicator and process parameter indicator are not included, determine whether the equipment status indicator is included. If the equipment status indicator is "RUN" (normal operation), then the security level is determined to be low security level and the transmission priority is normal priority.

[0039] In this embodiment, after the gateway collects real-time operating data of industrial equipment, it first preprocesses the data to remove invalid data, and then extracts data tags using the KMP algorithm. Based on the tag type and changes in process parameters, the real-time operating data is divided into security levels and transmission priorities according to preset judgment rules. High security level and highest priority correspond to alarm data, medium security level and medium priority correspond to abnormal changes in process parameters, and low security level and normal priority correspond to normal equipment status data, providing a clear basis for subsequent encryption processing and queue transmission.

[0040] As can be seen from the above, this embodiment clarifies the criteria and specific procedures for determining the security level and transmission priority of real-time operational data, achieves precise data classification, ensures that critical data such as alarms or abnormal process parameters can be transmitted with priority and high-strength encryption, while ordinary normal data adopts conventional encryption and transmission methods. This not only ensures the security and real-time performance of critical data, but also avoids resource waste and improves the overall efficiency and rationality of data transmission.

[0041] In one embodiment of this application, real-time running data is encrypted according to a corresponding encryption strategy matched with the security level to generate an encrypted data packet, including: When the security level is high, an asymmetric encryption algorithm is used to encrypt the real-time running data, and a digital certificate is attached to generate an encrypted data packet. When the security level is medium or low, a symmetric encryption algorithm is used to encrypt the real-time running data and generate encrypted data packets. The encrypted data packet header includes a data digest, which is calculated from real-time running data using a hash algorithm.

[0042] In this embodiment, the asymmetric encryption algorithm can be the RSA2048 algorithm. This algorithm has high encryption strength and strong security, and can effectively prevent data from being cracked. It is suitable for encrypting high-security data. During the encryption process, the gateway uses the public key of the remote platform to encrypt the real-time running data, and the remote platform uses its own private key to decrypt it, ensuring the security of data transmission. The digital certificate is issued by an authoritative CA institution and contains the gateway's identity information, public key information and validity period. The digital certificate adopts the X.509 standard format and is attached to the header of the encrypted data packet for the remote platform to authenticate the gateway's identity.

[0043] The symmetric encryption algorithm can be AES128, which is fast, computationally inefficient, and consumes little gateway computing resources. It is suitable for encrypting data with low to medium security levels. During the encryption process, the gateway and the remote platform negotiate and generate a symmetric key in advance. The key is 128 bits long and is stored in the gateway. Each time encryption is performed, the key is used to encrypt the real-time running data, and the remote platform uses the same key to decrypt it.

[0044] The hash algorithm can be SHA256, which can convert real-time running data of any length into a fixed-length 256-bit data digest. The data digest is unique, meaning different real-time running data correspond to different data digests. The calculation of the data digest is completed by the gateway's security processing module. The calculation process is as follows: the real-time running data is arranged in a preset byte order, substituted into the SHA256 algorithm formula, and a 256-bit hexadecimal data digest is obtained. The data digest is appended to the header of the encrypted data packet for the remote platform to verify the integrity of the data. That is, after receiving the encrypted data packet, the remote platform recalculates the data digest of the decrypted real-time running data and compares it with the digest in the header of the data packet. If they match, it means that the data has not been tampered with; if they do not match, it means that the data has been tampered with, and the data packet is discarded directly.

[0045] The specific format of the encrypted data packet is as follows: header (occupying 8 bytes), including security level identifier (2 bytes), data digest (4 bytes, truncated from the first 4 bytes of the 256-bit digest) and digital certificate identifier (2 bytes, 1 for high security level data, 0 for medium and low security level data); body (variable length), which is the encrypted real-time running data; and tail (2 bytes), which is a checksum used by the gateway and remote platform to verify the integrity of the data packet transmission.

[0046] In this embodiment, after the gateway determines the security level of the real-time running data, the security processing module matches the corresponding encryption algorithm according to the security level. High-security-level data is encrypted using the RSA2048 asymmetric encryption algorithm and a digital certificate is attached. Medium- and low-security-level data is encrypted using the AES128 symmetric encryption algorithm. At the same time, the security processing module uses the SHA256 algorithm to calculate the data digest of the real-time running data and attaches it to the header of the encrypted data packet. After encryption, an encrypted data packet conforming to a preset format is generated for subsequent transmission. After receiving the data, the remote platform can verify the data integrity through the data digest, verify the gateway's identity through the digital certificate, and decrypt the data using the corresponding algorithm.

[0047] As can be seen from the above, this embodiment achieves a precise match between encryption strategy and data security level. High-security-level data uses high-strength asymmetric encryption to ensure the security of critical data and prevent data leakage and tampering. Medium- and low-security-level data uses efficient symmetric encryption, which reduces the gateway's computing pressure and transmission bandwidth usage, and improves data encryption and transmission efficiency. The addition of data digests further ensures data integrity, and the addition of digital certificates enables two-way identity authentication between the gateway and the remote platform, thereby improving the overall security and reliability of industrial IoT data transmission.

[0048] In one embodiment of this application, the sending queue includes a high-priority queue and a normal-priority queue; Encrypted data packets are stored in the corresponding sending queue according to transmission priority and sent to the remote platform via the communication network, including: Encrypted data packets marked as highest and medium priority are stored in the high priority queue, and encrypted data packets marked as normal priority are stored in the normal priority queue. Monitor the current network bandwidth and latency status of the communication network; When the network bandwidth is lower than the preset bandwidth threshold, data transmission of the normal priority queue is suspended, and data of the high priority queue is transmitted to the remote platform through the communication network. When the network bandwidth is greater than or equal to the preset bandwidth threshold, data transmission of the normal priority queue is resumed. Before generating encrypted data packets marked as normal priority, data compression technology is used to compress the corresponding real-time running data and then send it to the remote platform through the communication network.

[0049] In this embodiment, the sending queue adopts a FIFO (First In First Out) queue structure. The capacity of the high-priority queue is set to 100 queues, and the capacity of the ordinary priority queue is set to 500 queues. The storage units of the queue are dynamically allocated. When the queue is full, the earliest stored low-priority data packet is automatically discarded (the earliest data is discarded when the ordinary priority queue is full, and the earliest data in the ordinary priority queue is discarded when the high-priority queue is full), ensuring the storage and sending priority of high-priority data.

[0050] Network bandwidth and latency monitoring is performed by the gateway's network monitoring module, with a monitoring cycle set to 100ms, meaning network status data is collected every 100ms. The preset bandwidth threshold is set to 10Mbps, which was determined through on-site network debugging in the industrial environment and can be modified according to the actual network environment. This threshold is stored in the gateway's local memory. Network latency monitoring is used to assist in judging the network status. When the latency exceeds 100ms, the network status is considered poor, and further optimization of the transmission strategy is implemented.

[0051] The data compression technology uses the LZ77 algorithm to compress real-time running data corresponding to ordinary priority to 20%-50% of its original size without affecting data integrity. The compressed real-time running data is then encrypted with AES128 symmetric encryption to generate encrypted data packets and store them in the ordinary priority queue. The decompression of the compressed data is completed by the remote platform, using the corresponding LZ77 decompression algorithm to ensure that the decompressed data is consistent with the original data, with no loss or tampering.

[0052] The specific sending process of the sending queue is as follows: The first step is for the gateway to store the generated encrypted data packets into the corresponding queues according to their transmission priority. The highest priority and medium priority data packets are stored in the high priority queue, and the normal priority data packets are stored in the normal priority queue. The second step involves the network monitoring module collecting network bandwidth and latency data in real time and comparing it with preset bandwidth thresholds. Third, if the network bandwidth is less than 10Mbps, pause the transmission of the normal priority queue, and send the data packets in the high priority queue first, in FIFO order, until the high priority queue is empty or the network bandwidth is restored. Fourth, if the network bandwidth is greater than or equal to 10Mbps, resume the transmission of the normal priority queue. At the same time, before generating normal priority encrypted data packets, perform LZ77 compression on the corresponding real-time running data, then encrypt and generate data packets, store them in the normal priority queue, and send them in parallel with the data in the high priority queue. The transmission priority of the high priority queue is higher than that of the normal priority queue.

[0053] In this embodiment, the gateway categorizes encrypted data packets with different transmission priorities into high-priority and normal-priority queues. The network monitoring module monitors the network status in real time and dynamically adjusts the transmission strategy according to changes in network bandwidth. When network bandwidth is insufficient, priority is given to ensuring the transmission of high-priority data (alarm data, abnormal process parameter data), while the transmission of normal-priority data is suspended to avoid delays in critical data. When network bandwidth is sufficient, the transmission of normal-priority data is resumed, and the normal-priority data is compressed to reduce transmission bandwidth usage, thereby achieving a reasonable allocation of network resources and ensuring efficient and stable transmission of all data.

[0054] As can be seen from the above, this embodiment ensures the priority transmission of critical data by classifying and storing and sending data through priority queues, thus avoiding the problems of delay and loss of critical data when the network is congested. The transmission strategy is dynamically adjusted according to the network status, focusing on critical data when network bandwidth is insufficient and optimizing the transmission of ordinary data when bandwidth is sufficient, thereby improving the utilization rate of network resources. The application of data compression technology further reduces the bandwidth occupation of ordinary data transmission, improves the overall data transmission efficiency, and ensures the stability and real-time performance of industrial IoT data transmission.

[0055] In one embodiment of this application, the integrity verification and authentication of control commands include: Extract the timestamp from the control command, compare the timestamp with the local current time, and obtain the time difference; If the time difference exceeds the preset time window threshold, the control command is determined to be a replay attack command, the control command is discarded and a security alarm log is generated. If the time difference does not exceed the preset time window threshold, the digital signature is verified using the pre-stored public key. If the signature verification fails, the control command integrity verification or identity authentication is deemed to have failed, and the control command is discarded. If the signature verification passes, the integrity check and identity authentication are considered successful.

[0056] In this embodiment, the timestamp in the control command adopts the UTC time format, with the format "YYYY-MM-DDHH:MM:SS.XXX", accurate to milliseconds, consistent with the timestamp of the real-time running data, ensuring that the control command is associated with the corresponding real-time running data. The local current time is provided by the gateway's real-time clock module. The preset time window threshold is set to 30 seconds. This threshold is determined based on the response speed and network latency of the industrial IoT system and is used to determine whether the control command is an expired replay attack command. That is, if the difference between the timestamp of the control command and the local current time exceeds 30 seconds, it indicates that the command may be a replay attack command that has been maliciously intercepted and resent. The preset time window threshold is stored in the gateway's local memory and can be modified according to the actual application scenario.

[0057] The pre-stored public key is the public key of the remote platform. This public key is pre-stored in the gateway's security chip and corresponds to the private key used by the remote platform to generate digital signatures. The public key format adopts the PEM standard and is 2048 bits long to ensure the security and accuracy of signature verification. The signature verification process is completed by the gateway's security processing module, and the specific steps are as follows: The first step is to extract the digital signature and the text of the control command from the control instructions; The second step is to decrypt the digital signature using the pre-stored remote platform public key to obtain the decrypted hash value. The third step is to recalculate the hash value of the control command text using the SHA256 algorithm. The fourth step is to compare the decrypted hash value with the recalculated hash value. If they match, the signature verification passes; otherwise, the signature verification fails.

[0058] The generation of security alarm logs is completed by the gateway's log module. The alarm log content includes attack type (replay attack), attack time, control command content, and reason for dropping, etc. The log format adopts a fixed text format, which is convenient for later query and analysis. The operation of dropping control commands is completed by the main control chip. After dropping, the subsequent processing of the command is stopped immediately to avoid accidental execution.

[0059] In this embodiment, after receiving the control command returned by the remote platform, the gateway first extracts the timestamp from the command and compares it with the local real-time time to determine whether the command has expired. If it has expired, it is determined to be a replay attack, the command is discarded, and an alarm log is generated. If it has not expired, the gateway uses the pre-stored public key of the remote platform to verify the digital signature. By comparing the hash value, it determines whether the control command has been tampered with and whether it comes from a legitimate remote platform. If the signature verification is successful, it means that the control command is complete and legitimate and can be parsed and executed subsequently. If the signature verification fails, the command is discarded to avoid the execution of false commands.

[0060] As can be seen from the above, this embodiment effectively prevents replay attacks by comparing timestamps, avoiding the execution of expired malicious instructions; it achieves integrity verification and identity authentication of control instructions through public key signature verification, accurately identifying tampered and illegal instructions, ensuring the legality and integrity of control instructions; the generation of security alarm logs facilitates the later investigation of security risks, comprehensively improving the security of the industrial IoT control process, avoiding equipment misoperation, and ensuring production safety and equipment integrity.

[0061] In one embodiment of this application, the method further includes: Heartbeat packets are sent to the remote platform according to the preset heartbeat cycle. The heartbeat packets carry a unique session identifier and current communication link quality parameters. If no heartbeat response packet is received from the remote platform within the preset response time, the communication link is determined to be abnormal. The real-time running data obtained after the communication link is determined to be abnormal and the control instructions to be executed in the local cache are temporarily stored in the local memory, and the number of reconnection attempts is recorded. The communication connection with the remote platform is re-established according to the preset reconnection interval.

[0062] In this embodiment, the preset heartbeat period is set to 10 seconds, meaning the gateway sends a heartbeat packet to the remote platform every 10 seconds. This period is determined based on the stability requirements of the industrial IoT system and can be modified according to the actual application scenario. The heartbeat packet has a fixed length (32 bytes), where the first 16 bytes are a unique session identifier, and the last 16 bytes are communication link quality parameters. The unique session identifier is a combination of the gateway's MAC address (e.g., 00:1B:44:11:3A:B7) and the gateway number. Each gateway corresponds to a unique session identifier, which is used by the remote platform to identify different gateway devices. The communication link quality parameters include network latency (in milliseconds), packet loss rate (in %), and signal strength (in dBm). These parameters are collected in real time by the gateway's network monitoring module and filled into the heartbeat packet.

[0063] The preset response time is set to 5 seconds. If the gateway does not receive a heartbeat response packet from the remote platform within 5 seconds of sending a heartbeat packet, the communication link is considered abnormal. The heartbeat response packet is generated by the remote platform and contains a session identifier and acknowledgment information corresponding to the heartbeat packet, used to inform the gateway that the communication link is normal. Temporarily stored real-time running data is stored in the order of acquisition time, and temporarily stored control commands to be executed are stored in the order of receipt time. The storage format is binary to ensure the security and integrity of data storage. When storage capacity is insufficient, the oldest stored data is automatically overwritten (prioritizing real-time running data with normal priority).

[0064] The initial reconnection count is 0. The reconnection count is incremented by 1 after each attempt to re-establish the connection. The default reconnection interval is set to 30 seconds, meaning that a reconnection attempt is made every 30 seconds. The reconnection method involves restarting the gateway's 5G communication module and re-establishing a TCP connection with the remote platform. During the connection process, the identity information of the gateway and the remote platform is verified (through digital certificate verification). The maximum number of reconnections is set to 10 and stored in the gateway's local storage. This value can be modified according to actual needs.

[0065] The specific process is as follows: First, the gateway sends a heartbeat packet carrying a unique session identifier and link quality parameters to the remote platform according to a 10-second heartbeat cycle. The second step is for the gateway to start a 5-second timer and wait for the remote platform to return a heartbeat response packet; The third step is to determine that the communication link is normal if a heartbeat response packet is received within 5 seconds, reset the reconnection count to 0, and continue to transmit data and receive control commands normally. The fourth step is to determine that the communication link is abnormal if no heartbeat response packet is received within 5 seconds. The subsequent real-time running data and the locally cached control commands to be executed are temporarily stored to the SD card, and the reconnection count is incremented by 1. Fifth, reconnect to the remote platform at 30-second intervals, repeating steps two through four until a successful reconnection or the maximum number of reconnections is reached.

[0066] In this embodiment, the gateway periodically sends heartbeat packets to monitor the communication link status with the remote platform in real time. The session identifier in the heartbeat packet is used by the remote platform to identify the gateway, and the link quality parameters are used by the remote platform to understand the link status. If no heartbeat response is received within a preset time, it indicates that the communication link is abnormal. The gateway will temporarily store the key data to avoid data loss and automatically attempt to reconnect until the connection is restored or the maximum number of reconnections is reached, ensuring the continuity of the communication link.

[0067] As can be seen from the above, this embodiment realizes real-time monitoring of the communication link, which can detect link anomalies in a timely manner and avoid data loss and control interruption caused by link interruption; the data temporary storage function ensures that real-time running data and control commands are not lost during link anomalies, providing a guarantee for recovery after reconnection; the automatic reconnection function reduces manual intervention, improves the fault tolerance and continuity of the system, and ensures the stable operation of the industrial Internet of Things system.

[0068] In one embodiment of this application, after attempting to re-establish the connection, the method further includes: If the recorded number of reconnections exceeds the preset threshold and the communication link is still not restored, switch to local control mode. In local control mode, read the pre-stored emergency control strategy from the local memory; The system compares real-time operating data with the preset safe operating range. If the data exceeds the safe operating range, a local drive signal is generated according to the emergency control strategy and sent to the industrial equipment to control it to perform the corresponding action.

[0069] In this embodiment, the preset threshold is set to 5 times. That is, if the number of reconnections exceeds 5 and the communication link still has not been restored, the system automatically switches to local control mode. This threshold is determined based on the urgency of industrial production and system fault tolerance requirements, and can be modified according to the actual application scenario. It is stored in the gateway's local memory. Local control mode refers to a mode in which the gateway controls industrial equipment independently based on real-time operating data and pre-stored emergency control strategies, without relying on a remote platform. After switching to local control mode, the gateway stops sending data and heartbeat packets to the remote platform, stops receiving control commands from the remote platform, and focuses on local control.

[0070] The emergency control strategies pre-stored in the local memory are preset by industrial field technicians according to the safe operation requirements of the equipment and stored in the SD card. The emergency control strategies include the safe operating parameter range of the industrial equipment and the corresponding handling measures for different abnormal situations. For example, the safe operating range of the temperature parameter is 0-100℃. When the temperature exceeds 100℃, the emergency control strategy is to "generate a stop operation drive signal, control the equipment to stop operation, and generate a local alarm signal"; the safe operating range of the pressure parameter is 0.1-1.0MPa. When the pressure is lower than 0.1MPa, the emergency control strategy is to "generate a pressure adjustment drive signal, control the equipment to increase the pressure until the pressure reaches the safe range".

[0071] The preset safe operating range and emergency control strategy are matched one-to-one and stored in a table format for easy access and comparison by the gateway. The comparison between real-time operating data and the safe operating range is completed by the gateway's main control chip. The comparison cycle is the same as the data acquisition cycle (100ms). That is, every time real-time operating data is acquired, it is compared with the corresponding safe operating range to determine whether it exceeds the range.

[0072] The generation of local drive signals is consistent with that of drive signals in remote control mode. The type and parameters of the drive signals are determined according to the emergency control strategy. For example, the stop drive signal is a low-level signal (0V), and the pressure adjustment drive signal is an analog voltage signal (5-10V). A buzzer is used for local alarm signals. When a local alarm signal is generated, the buzzer will sound continuously until the staff manually resets it or the equipment returns to normal operation.

[0073] The specific process is as follows: First, the gateway attempts to re-establish the communication connection with the remote platform and records the number of reconnections; The second step is to determine if the number of reconnections has exceeded 5 and the link has not yet been restored. If not, continue to try reconnecting; if so, switch to local control mode. The third step, in local control mode, is for the main control chip to read the emergency control strategy and safe operating range pre-stored in the SD card; The fourth step is for the main control chip to compare the real-time collected operating data with the safe operating range; Fifth, if the data exceeds the safe operating range, a corresponding local drive signal is generated according to the emergency control strategy and sent to the industrial equipment, while the buzzer is activated to generate an alarm signal. The sixth step is to maintain the current operating status of the equipment if the data is within the safe operating range, continue to collect data and compare it until the communication link is restored or staff intervene.

[0074] In this embodiment, when the communication link is abnormal and reconnection fails, the gateway automatically switches to local control mode, eliminating its dependence on the remote platform. By reading the pre-stored emergency control strategy and safe operating range, it compares the operating data of the industrial equipment in real time. When the data exceeds the safe range, it generates a drive signal according to the emergency strategy, controls the equipment to perform corresponding emergency actions, and issues an alarm signal to remind on-site personnel to handle the situation, ensuring the safe operation of the equipment.

[0075] As can be seen from the above, this embodiment achieves local emergency control of industrial equipment in the event of a complete communication link failure and inability to reconnect, avoiding safety accidents caused by equipment malfunction and ensuring equipment integrity and production safety. The preset emergency control strategy is highly targeted and can quickly respond to abnormal equipment conditions, reducing losses. Local alarm signals can promptly remind staff to handle link and equipment abnormalities, improving the system's emergency response capabilities and reliability, and ensuring the continuity of industrial production.

[0076] Based on the same principle as the industrial IoT control method provided in the embodiments of this application, the embodiments of this application also provide an industrial IoT control device, applied to an industrial IoT gateway, which is communicatively connected to industrial equipment and a remote platform, such as... Figure 2 As shown, the industrial Internet of Things (IIoT) control device 20 may specifically include: a data analysis module 21, an encryption module 22, a communication module 23, a receiving module 24, a verification module 25, and a control module 26. The data analysis module 21 is used to acquire real-time operating data of industrial equipment, perform feature analysis on the real-time operating data, and determine the security level and transmission priority of the real-time operating data. Encryption module 22 is used to encrypt real-time running data according to the corresponding encryption strategy based on the security level, and generate encrypted data packets; Communication module 23 is used to store encrypted data packets into the corresponding sending queue according to the transmission priority and send them to the remote platform through the communication network; The receiving module 24 is used to receive control instructions returned by the remote platform. The control instructions are returned by the remote platform after parsing the encrypted data packet and generating a control policy, and carry a timestamp and digital signature associated with the real-time running data. Verification module 25 is used to perform integrity verification and identity authentication on control commands. If both integrity verification and identity authentication are successful, the control commands are parsed to obtain control parameters. The control module 26 is used to generate drive signals according to control parameters and send them to industrial equipment to control it to perform corresponding actions.

[0077] In one embodiment of this application, the data analysis module 21 is specifically used for: Data tags are extracted from real-time operational data. These data tags include equipment status identifiers, alarm identifiers, and process parameter identifiers. If the data tag contains an alarm identifier, the security level of the real-time running data will be set to high security level, and the transmission priority will be set to the highest priority. If the data tag does not contain an alarm identifier, but contains a process parameter identifier and the rate of change of the parameter value corresponding to the process parameter identifier exceeds the preset process parameter change threshold, then the security level of the real-time running data will be set to medium security level, and the transmission priority will be set to medium priority. If the data tag does not contain alarm or process parameter tags, but contains a device status tag indicating that the device is in normal operation, then the security level of the real-time operating data will be set to low security level, and the transmission priority will be set to normal priority.

[0078] In one embodiment of this application, the encryption module 22 is specifically used for: When the security level is high, an asymmetric encryption algorithm is used to encrypt the real-time running data, and a digital certificate is attached to generate an encrypted data packet. When the security level is medium or low, a symmetric encryption algorithm is used to encrypt the real-time running data and generate encrypted data packets. The encrypted data packet header includes a data digest, which is calculated from real-time running data using a hash algorithm.

[0079] In one embodiment of this application, the sending queue includes a high-priority queue and a normal-priority queue; Communication module 23 is specifically used for: Encrypted data packets marked as highest and medium priority are stored in the high priority queue, and encrypted data packets marked as normal priority are stored in the normal priority queue. Monitor the current network bandwidth and latency status of the communication network; When the network bandwidth is lower than the preset bandwidth threshold, data transmission of the normal priority queue is suspended, and data of the high priority queue is transmitted to the remote platform through the communication network. When the network bandwidth is greater than or equal to the preset bandwidth threshold, data transmission of the normal priority queue is resumed. Before generating encrypted data packets marked as normal priority, data compression technology is used to compress the corresponding real-time running data and then send it to the remote platform through the communication network.

[0080] In one embodiment of this application, the verification module 25 is specifically used for: Extract the timestamp from the control command, compare the timestamp with the local current time, and obtain the time difference; If the time difference exceeds the preset time window threshold, the control command is determined to be a replay attack command, the control command is discarded and a security alarm log is generated. If the time difference does not exceed the preset time window threshold, the digital signature is verified using the pre-stored public key. If the signature verification fails, the control command integrity verification or identity authentication is deemed to have failed, and the control command is discarded. If the signature verification passes, the integrity check and identity authentication are considered successful.

[0081] In one embodiment of this application, an industrial Internet of Things (IoT) control device 20 further includes: a communication anomaly detection module, specifically used for: Heartbeat packets are sent to the remote platform according to the preset heartbeat cycle. The heartbeat packets carry a unique session identifier and current communication link quality parameters. If no heartbeat response packet is received from the remote platform within the preset response time, the communication link is determined to be abnormal. The real-time running data obtained after the communication link is determined to be abnormal and the control instructions to be executed in the local cache are temporarily stored in the local memory, and the number of reconnection attempts is recorded. The communication connection with the remote platform is re-established according to the preset reconnection interval.

[0082] In one embodiment of this application, the communication anomaly detection module is further configured to: If the recorded number of reconnections exceeds the preset threshold and the communication link is still not restored, switch to local control mode. In local control mode, read the pre-stored emergency control strategy from the local memory; The system compares real-time operating data with the preset safe operating range. If the data exceeds the safe operating range, a local drive signal is generated according to the emergency control strategy and sent to the industrial equipment to control it to perform the corresponding action.

[0083] The apparatus in this application embodiment can execute the method provided in this application embodiment, and the implementation principle is similar. The actions performed by each module in the apparatus of each embodiment of this application correspond to the steps in the method of each embodiment of this application. For detailed functional descriptions of each module of the apparatus, please refer to the descriptions in the corresponding methods shown above, which will not be repeated here.

[0084] Figure 3 This paper illustrates a structural schematic diagram of an industrial IoT gateway applicable to embodiments of this application, as shown below. Figure 3 As shown, the industrial IoT gateway can be used to implement the methods provided in any embodiment of this application.

[0085] like Figure 3As shown, the industrial IoT gateway 300 may primarily include at least one processor 301. Figure 3 The diagram shows components such as a memory 302, a communication module 303, and an input / output interface 304. Optionally, these components can be connected and communicate with each other via a bus 305. It should be noted that... Figure 3 The structure of the industrial IoT gateway 300 shown is merely illustrative and does not constitute a limitation on the industrial IoT gateway to which the methods provided in the embodiments of this application are applicable.

[0086] The memory 302 can be used to store operating systems and applications, etc. The applications can include computer programs that implement the methods shown in the embodiments of this application when invoked by the processor 301, and can also include programs for implementing other functions or services. The memory 302 can be ROM (Read Only Memory) or other types of static storage devices that can store static information and instructions, RAM (Random Access Memory) or other types of dynamic storage devices that can store information and computer programs, or it can be EEPROM (Electrically Erasable Programmable Read Only Memory), CD-ROM (Compact Disc Read Only Memory) or other optical disc storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital universal optical discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.

[0087] Processor 301 is connected to memory 302 via bus 305 and implements corresponding functions by calling the application programs stored in memory 302. Processor 301 can be a CPU (Central Processing Unit), a general-purpose processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It can implement or execute the various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. Processor 301 can also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, etc.

[0088] The industrial IoT gateway 300 can connect to the network via a communication module 303 (which may include, but is not limited to, components such as network interfaces) to communicate with other devices (such as user terminals or servers) through the network and achieve data interaction, such as sending data to or receiving data from other devices. The communication module 303 may include wired network interfaces and / or wireless network interfaces, meaning the communication module may include at least one of wired or wireless communication modules.

[0089] The Industrial IoT Gateway 300 can connect to necessary input / output devices, such as keyboards and display devices, via its input / output interface 304. The Industrial IoT Gateway 300 itself can have a display device, and other display devices can also be connected externally via interface 304. Optionally, a storage device, such as a hard drive, can also be connected via interface 304 to store data from the Industrial IoT Gateway 300, read data from the storage device, or store data from the storage device in a memory 302. It is understood that the input / output interface 304 can be a wired interface or a wireless interface. Depending on the actual application scenario, the device connected to the input / output interface 304 can be an integral part of the Industrial IoT Gateway 300 or an external device connected to the Industrial IoT Gateway 300 when needed.

[0090] The bus 305 used to connect the components may include a path for transmitting information between the components. The bus 305 may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, etc. Depending on its function, the bus 305 may be divided into an address bus, a data bus, a control bus, etc.

[0091] Optionally, for the solution provided in the embodiments of this application, the memory 302 can be used to store a computer program that executes the solution of this application, and the processor 301 runs the computer program. When the processor 301 runs the computer program, it implements the operation of the method or apparatus provided in the embodiments of this application.

[0092] Based on the same principle as the method provided in the embodiments of this application, the embodiments of this application provide a computer-readable storage medium storing a computer program, which, when executed by a processor, can implement the corresponding content of the aforementioned method embodiments.

[0093] This application also provides a computer program product, which includes a computer program that, when executed by a processor, can implement the corresponding content of the aforementioned method embodiments.

[0094] It should be noted that the terms "first," "second," "third," "fourth," "1," "2," etc. (if present) in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in a sequence other than that shown in the figures or text.

[0095] In the embodiments of this application, the terms "module" or "unit" refer to a computer program or part of a computer program that has a predetermined function and works with other related parts to achieve a predetermined goal, and can be implemented wholly or partially using software, hardware (such as processing circuitry or memory), or a combination thereof. Similarly, a processor (or multiple processors or memory) can be used to implement one or more modules or units. Furthermore, each module or unit can be part of an overall module or unit that includes the functionality of that module or unit.

[0096] It should be understood that although arrows indicate various operation steps in the flowcharts of this application's embodiments, the order in which these steps are implemented is not limited to the order indicated by the arrows. Unless explicitly stated herein, in some implementation scenarios of this application's embodiments, the implementation steps in each flowchart can be executed in other orders as required. Furthermore, some or all steps in each flowchart, based on the actual implementation scenario, may include multiple sub-steps or multiple stages. Some or all of these sub-steps or stages can be executed at the same time, and each sub-step or stage can also be executed at different times. In scenarios where execution times differ, the execution order of these sub-steps or stages can be flexibly configured according to requirements, and this application's embodiments do not limit this.

[0097] The above description is only an optional implementation method for some implementation scenarios of this application. It should be noted that for those skilled in the art, other similar implementation methods based on the technical concept of this application without departing from the technical concept of this application also fall within the protection scope of the embodiments of this application.

Claims

1. A control method for an industrial Internet of Things (IoT), characterized in that, Applied to an industrial IoT gateway, wherein the industrial IoT gateway is communicatively connected to industrial equipment and a remote platform, the method includes: The real-time operating data of the industrial equipment is acquired, and feature analysis is performed on the real-time operating data to determine the security level and transmission priority of the real-time operating data. Based on the security level, a corresponding encryption strategy is matched to encrypt the real-time running data to generate an encrypted data packet; The encrypted data packet is stored in the corresponding sending queue according to the transmission priority and sent to the remote platform through the communication network. The system receives control commands returned by the remote platform, wherein the control commands are returned by the remote platform after parsing the encrypted data packet and generating a control policy, and carry a timestamp and digital signature associated with the real-time running data. The control command is subjected to integrity verification and identity authentication. If both integrity verification and identity authentication are successful, the control command is parsed to obtain control parameters. A drive signal is generated based on the control parameters and sent to the industrial equipment to control it to perform corresponding actions.

2. The control method for an industrial Internet of Things as described in claim 1, characterized in that, The step of performing feature analysis on the real-time operational data to determine the security level and transmission priority of the real-time operational data includes: Data tags are extracted from the real-time operating data, and the data tags include equipment status identifiers, alarm identifiers, and process parameter identifiers; If the data tag contains an alarm identifier, the security level of the real-time running data is set to high security level, and the transmission priority is set to the highest priority. If the data tag does not contain an alarm identifier, but contains a process parameter identifier and the rate of change of the parameter value corresponding to the process parameter identifier exceeds a preset process parameter change threshold, then the security level of the real-time operation data is set to medium security level, and the transmission priority is set to medium priority. If the data tag does not contain alarm identifiers and process parameter identifiers, but contains equipment status identifiers and the equipment status identifiers indicate that the equipment is in normal operating condition, then the security level of the real-time operating data is set to low security level, and the transmission priority is set to normal priority.

3. The industrial Internet of Things (IoT) control method as described in claim 2, characterized in that, The step of encrypting the real-time running data according to the corresponding encryption strategy matched with the security level to generate an encrypted data packet includes: When the security level is high, an asymmetric encryption algorithm is used to encrypt the real-time running data, and a digital certificate is attached to generate an encrypted data packet; When the security level is medium or low, a symmetric encryption algorithm is used to encrypt the real-time running data to generate an encrypted data packet; The encrypted data packet includes a data digest in its header, which is calculated from the real-time running data using a hash algorithm.

4. The control method for an industrial Internet of Things as described in claim 2, characterized in that, The sending queue includes a high-priority queue and a normal-priority queue; The step of storing the encrypted data packet into the corresponding sending queue according to the transmission priority and sending it to the remote platform through the communication network includes: Encrypted data packets marked as highest priority and medium priority are stored in the high priority queue, and encrypted data packets marked as normal priority are stored in the normal priority queue. Monitor the current network bandwidth and latency status of the communication network; When the network bandwidth is lower than a preset bandwidth threshold, the data transmission of the ordinary priority queue is suspended, and the data of the high priority queue is transmitted to the remote platform through the communication network. When the network bandwidth is greater than or equal to a preset bandwidth threshold, the data transmission of the normal priority queue is resumed. Before generating the encrypted data packet marked as normal priority, the corresponding real-time running data is compressed using data compression technology and then sent to the remote platform through the communication network.

5. The control method for an industrial Internet of Things as described in claim 1, characterized in that, The integrity verification and authentication of the control command includes: Extract the timestamp from the control command, compare the timestamp with the local current time, and obtain the time difference; If the time difference exceeds a preset time window threshold, the control command is determined to be a replay attack command, the control command is discarded, and a security alarm log is generated. If the time difference does not exceed the preset time window threshold, the digital signature is verified using the pre-stored public key. If the signature verification fails, it is determined that the integrity verification or identity authentication of the control command has failed, and the control command is discarded. If the signature verification passes, the integrity check and identity authentication are deemed successful.

6. The control method for an industrial Internet of Things as described in claim 1, characterized in that, The method further includes: According to a preset heartbeat cycle, a heartbeat packet is sent to the remote platform. The heartbeat packet carries a unique session identifier and current communication link quality parameters. If no heartbeat response packet is received from the remote platform within the preset response time, the communication link is determined to be abnormal. The real-time running data obtained after the communication link is determined to be abnormal and the control instructions to be executed in the local cache are temporarily stored in the local memory, and the number of reconnection attempts is recorded. The communication connection with the remote platform is re-established according to the preset reconnection interval.

7. The control method for an industrial Internet of Things as described in claim 6, characterized in that, Following the attempt to re-establish the connection, the following is also included: If the recorded number of reconnections exceeds the preset threshold and the communication link is still not restored, switch to local control mode. In local control mode, read the pre-stored emergency control strategy from the local memory; The real-time operating data is compared with the preset safe operating range. If the safe operating range is exceeded, a local drive signal is generated according to the emergency control strategy and sent to the industrial equipment to control it to perform the corresponding action.

8. A control device for an industrial Internet of Things, characterized in that, An industrial IoT gateway, which is communicatively connected to industrial equipment and a remote platform, includes: The data analysis module is used to acquire real-time operating data of the industrial equipment, perform feature analysis on the real-time operating data, and determine the security level and transmission priority of the real-time operating data. An encryption module is used to encrypt the real-time running data according to the security level and match the corresponding encryption strategy to generate an encrypted data packet. The communication module is used to store the encrypted data packets into the corresponding sending queue according to the transmission priority, and send them to the remote platform through the communication network; The receiving module is used to receive control instructions returned by the remote platform, wherein the control instructions are returned by the remote platform after parsing the encrypted data packet and generating a control policy, and carry a timestamp and digital signature associated with the real-time running data; The verification module is used to perform integrity verification and identity authentication on the control command. If both integrity verification and identity authentication are successful, the control command is parsed to obtain control parameters. The control module is used to generate drive signals according to the control parameters and send them to the industrial equipment to control it to perform corresponding actions.

9. An industrial Internet of Things (IoT) gateway, characterized in that, The industrial IoT gateway includes a memory and a processor. The memory stores a computer program, and the processor executes an industrial IoT control method according to any one of claims 1 to 7 when running the computer program.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the industrial Internet of Things control method according to any one of claims 1 to 7.