[go: up one dir, main page]

CN119475359A - A safety protection method for ship industrial control system - Google Patents

A safety protection method for ship industrial control system Download PDF

Info

Publication number
CN119475359A
CN119475359A CN202510031120.6A CN202510031120A CN119475359A CN 119475359 A CN119475359 A CN 119475359A CN 202510031120 A CN202510031120 A CN 202510031120A CN 119475359 A CN119475359 A CN 119475359A
Authority
CN
China
Prior art keywords
control system
industrial control
user
ship
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510031120.6A
Other languages
Chinese (zh)
Inventor
倪华
赵智青
郭东昌
李博闻
洪子帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yishi Intelligent Technology Co ltd
Original Assignee
Shanghai Yishi Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yishi Intelligent Technology Co ltd filed Critical Shanghai Yishi Intelligent Technology Co ltd
Priority to CN202510031120.6A priority Critical patent/CN119475359A/en
Publication of CN119475359A publication Critical patent/CN119475359A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

本发明公开了一种船舶工业控制系统安全防护方法,包括以下步骤:步骤一:访问控制和权限管理:身份验证,对船舶工业控制系统的用户进行身份验证,身份验证通过即允许访问,同时对采集用户权限信息进行采集并分析进行用户权限控制;步骤二:数据加密,对工业控制系统中的数据进行传输加密;步骤三:漏洞修复,检查船舶工业控制系统的漏洞进行补丁更新,修复漏洞;步骤四:对控制系统进行入侵检测和防护;步骤五:对系统使用人员进行安全培训和管理;步骤六:定期进行船舶工业控制系统安全相关信息采集,并对安全相关信息进行分析,获取到安全警示信息。本发明能够更加全面的船舶工业控制系统安全防护,保证船舶工业控制系统安全稳定的运行。

The present invention discloses a method for protecting the safety of a ship industrial control system, comprising the following steps: step 1: access control and authority management: identity authentication, identity authentication of the user of the ship industrial control system, access is allowed if the identity authentication is passed, and user authority information is collected and analyzed for user authority control; step 2: data encryption, data in the industrial control system is encrypted for transmission; step 3: vulnerability repair, checking the vulnerability of the ship industrial control system for patch update and repairing the vulnerability; step 4: intrusion detection and protection of the control system; step 5: security training and management of system users; step 6: regular collection of information related to the safety of the ship industrial control system, and analysis of the safety related information to obtain safety warning information. The present invention can provide more comprehensive safety protection for the ship industrial control system and ensure the safe and stable operation of the ship industrial control system.

Description

Safety protection method for ship industrial control system
Technical Field
The invention relates to the field of security protection, in particular to a security protection method of a ship industrial control system.
Background
The ship industrial control system refers to an automatic and intelligent control system used in ship manufacturing, operation and management. These systems cover various aspects of the vessel, from vessel design, construction to sailing, maintenance, to ensure safe, efficient and environmentally friendly operation of the vessel;
The ship industrial control system needs to be safely protected in the actual use process, and the information safety of the ship industrial control system is guaranteed, so that the stable operation of the ship industrial control system is further guaranteed, and a safety protection method can be used in the safety protection process.
The existing safety protection method has single protection type, so that the overall protection effect is poor, the actual protection requirement is not met, and a certain influence is brought to the use of the safety protection method, therefore, the safety protection method of the ship industrial control system is provided.
Disclosure of Invention
The technical problem to be solved by the invention is how to solve the problems that the prior safety protection method has single protection type, causes poor overall protection effect, cannot meet the actual protection requirement, and brings certain influence to the use of the safety protection method, and provides the safety protection method of the ship industrial control system.
The invention solves the technical problems through the following technical proposal, and the invention comprises the following steps:
The method comprises the steps of access control and authority management, namely, identity verification is carried out on a user of a ship industrial control system, access is allowed when the identity verification passes, and meanwhile, the authority information of the collected user is collected and analyzed to carry out user authority control;
Step two, data encryption, which is to encrypt the data in the industrial control system;
Step three, repairing the loopholes, namely checking the loopholes of the ship industrial control system to update patches and repair the loopholes;
step four, performing intrusion detection and protection on the control system;
fifthly, carrying out safety training and management on system users;
And step six, periodically acquiring safety related information of the ship industrial control system, and analyzing the safety related information to acquire safety warning information.
The authentication mode for authenticating the user of the ship industrial control system comprises user name and password, fingerprint identification, intelligent card/token and biological identification;
The specific process of the identity authentication is that a user selects any one of a user name and a password, fingerprint identification, a smart card/token and biological identification according to the actual condition, and first identifies the user name and the password;
After the primary identification is passed, selecting any one mode except the primary identification mode from the user name and password, fingerprint identification, intelligent card/token and biological identification for secondary verification, and generating identity verification passing information by the secondary verification passing, so that the user is allowed to use the ship industrial control system;
Extracting collected user authority information, wherein the user authority information comprises user authority level information and authentication failure times information in a preset time length of a user, calculating a ratio of the authentication failure times information in the preset time length to the preset time length, and acquiring evaluation parameters;
the user level comprises a first-level user, a second-level user and a third-level user;
when the user level is a first-level user, and the evaluation parameter is larger than a preset value, degrading the user to a second-level user;
when the user level is a secondary user and the evaluation parameter is larger than a preset value, degrading the user to a tertiary user;
And stopping authorizing the user when the user level is three-level users and the evaluation parameter exceeds the preset times when the evaluation parameter is continuously larger than the preset value.
Further, when the second verification fails, i.e. no matter what way the first two verification ways are, the biological recognition way is selected to perform the identity verification again, and when the identity verification passes, the user is allowed to use the ship industrial control system, and when the identity verification fails, the abnormal personnel warning information is generated to warn.
Further, the specific process of data encryption is as follows:
selecting a safe transmission protocol, and selecting a proper safe transmission protocol according to the requirements of a ship industrial control system and the safety requirements;
generating and exchanging keys, namely generating a pair of public keys and private keys respectively in two communication parties;
key exchange, namely, through a secure key exchange protocol, the two communication parties can safely exchange key information, so that the security of subsequent encrypted communication is ensured;
encrypting data, namely encrypting the content, namely encrypting the data to be transmitted by using an encryption algorithm negotiated by the two parties, wherein the encrypted content comprises a control instruction, state information and sensor data;
Integrity protection, namely adopting a message authentication code or a digital signature technology to carry out integrity protection on data besides data encryption;
Establishing an encryption channel for data transmission, namely, based on an SSL/TLS protocol, after establishing an encrypted communication channel between two communication parties, transmitting the encrypted data to a receiver by a sender through the encryption channel;
The method comprises the steps of decrypting and verifying data, receiving encrypted data from an encryption channel by a receiver, decrypting the data, decrypting the received encrypted data by the receiver by using a private key of the receiver and a previously negotiated encryption algorithm, recovering original data, and finally verifying the data, wherein the receiver can verify the integrity and the source reliability of the data according to a message authentication code or a digital signature.
Further, the specific process of bug fixes is as follows:
Firstly, performing vulnerability identification and vulnerability classification, namely dividing vulnerabilities in an industrial control system into two main categories, namely software vulnerabilities and hardware vulnerabilities;
evaluating the identified loopholes and determining the severity and the influence range of the identified loopholes;
Performing vulnerability repair by using vulnerability repair software, and timely installing patches and updates released by suppliers aiming at known software vulnerabilities;
Hardware bug repair, namely updating firmware aiming at the firmware problem of hardware equipment;
hardware replacement, namely when the hardware has design defects and cannot be repaired through firmware updating, replacing hardware equipment;
the reinforcement measures are safety isolation, namely, a safety isolation device is adopted to isolate an industrial control system from external networks such as the Internet and the like;
Verifying and testing the repairing effect, namely verifying and testing the repaired system, and completing the vulnerability repairing flow after the verification test is passed.
The specific process of intrusion detection and protection of the control system is as follows:
firstly, performing intrusion detection system deployment, selecting an IDS technology, and selecting the intrusion detection technology based on the characteristics and requirements of a ship industrial control system, wherein the content of the intrusion detection technology comprises an IDS based on a host, an IDS based on a network or a hybrid IDS;
deploying IDS, namely deploying IDS at a preset position of the system;
information collection-IDS gathers information from a number of sources, including unexpected changes in system and weblogs, directories and files, unexpected behavior in program behavior, and intrusion information in physical form;
Data analysis, in which IDS analyzes the collected information to find abnormal or attack signs, wherein the abnormal or attack signs comprise pattern matching, statistical analysis or machine learning technology;
in the process of abnormality detection and misuse detection, the abnormality detection is carried out by establishing a model of normal behavior accessed by a system and detecting the behavior which does not accord with the model;
misuse detection, namely detecting possible attacks by matching known unacceptable behavior patterns;
generating an alarm to notify an administrator when the IDS detects an intrusion;
The manager adopts proper response strategy according to the alarm information;
Updating and maintaining protection strategies, namely periodically updating a rule base and an engine of an IDS;
Network isolation, namely isolating the ship industrial control system from an external network by using a network isolation technology;
and (3) carrying out security audit on the ship industrial control system regularly, identifying potential security holes and risks, and repairing and improving the potential security holes and risks.
Further, the specific process of safety training for the system user is as follows:
and (3) carrying out safety protection tests on system users at regular intervals, obtaining system user safety test scores, continuously collecting x system user safety test scores, removing the maximum value and the minimum value in the x system user safety test scores, calculating the average value of the rest system user safety test scores, namely obtaining the safety training evaluation score of a single person, and when the safety training evaluation score of the single person is smaller than a preset value, generating personnel training information and sending the personnel training information to the person to prompt the person to carry out safety training.
The specific process of acquiring the safety warning information comprises the steps of extracting the acquired safety related information, wherein the safety related information comprises the abnormal times of network fluctuation of a ship industrial control system, the times of attack on the network of the ship industrial control system and the times of attack on a database of the ship industrial control system within a preset duration;
the method comprises the steps of extracting and marking the abnormal times of network fluctuation of a ship industrial control system in preset time as U1, the times of attack on a ship industrial control system network as U2 and the times of attack on a ship industrial control system database as U3;
giving U1 a correction value Q1, U2 a correction value Q2, U3 a correction value Q3, q1+q2+q3=1, q3> q1> q2;
q1+u by the formula U1 2 q2+u3 q3=uu, namely, obtaining a protection evaluation parameter Uu;
and when the protection evaluation parameter Uu is larger than a preset value, generating safety warning information.
Compared with the prior art, the ship industrial control system safety protection method has the advantages that the safety and stability of the ship industrial control system can be greatly improved by implementing an effective identity verification strategy, unauthorized access is prevented, the identity verification can ensure that only authorized and verified users can access the ship industrial control system, and the system can ensure that only legal users can access and operate personal data of the users and key assets of the ship industrial control system by verifying the identities of the users. The method is beneficial to preventing data leakage, tampering or destruction, protecting the core interests of enterprises, improving the safety of the system, and setting encryption transmission can ensure that data in a ship industrial control system is protected in the transmission process, and even if the data is intercepted, unauthorized users cannot decrypt and acquire sensitive information in the data. This greatly improves the security of the data, reducing the risk of data leakage. This helps to promote the safety of the overall marine industrial control system;
Intrusion detection is performed, and network activities of the ship industrial control system can be monitored in real time, and any potential malicious behaviors or threats can be detected and identified. The real-time monitoring can ensure that the system responds at the first time of threat occurrence, thereby reducing the influence range of security events, and through intrusion detection, the system can identify and prevent unauthorized access, malicious software, phishing and other attack means, so that the data security and the system stability of the ship industrial control system are effectively protected. The method can prevent data leakage and damage, and can ensure the normal operation of the control system, so that the method is more worth popularizing and using.
Drawings
Fig. 1 is an overall flow chart of the present invention.
Detailed Description
The following describes in detail the examples of the present invention, which are implemented on the premise of the technical solution of the present invention, and detailed embodiments and specific operation procedures are given, but the scope of protection of the present invention is not limited to the following examples.
As shown in fig. 1, the embodiment provides a technical scheme that a safety protection method for a ship industrial control system comprises the following steps:
The method comprises the steps of access control and authority management, namely, identity verification is carried out on a user of a ship industrial control system, access is allowed when the identity verification passes, and meanwhile, the authority information of the collected user is collected and analyzed to carry out user authority control;
Step two, data encryption, which is to encrypt the data in the industrial control system;
Step three, repairing the loopholes, namely checking the loopholes of the ship industrial control system to update patches and repair the loopholes;
step four, performing intrusion detection and protection on the control system;
fifthly, carrying out safety training and management on system users;
And step six, periodically acquiring safety related information of the ship industrial control system, and analyzing the safety related information to acquire safety warning information.
The authentication mode for authenticating the user of the ship industrial control system comprises user name and password, fingerprint identification, intelligent card/token and biological identification;
The specific process of the identity authentication is that a user selects any one of a user name and a password, fingerprint identification, a smart card/token and biological identification according to the actual condition, and first identifies the user name and the password;
After the primary identification is passed, selecting any one mode except the primary identification mode from the user name and password, fingerprint identification, intelligent card/token and biological identification for secondary verification, and generating identity verification passing information by the secondary verification passing, so that the user is allowed to use the ship industrial control system;
Extracting collected user authority information, wherein the user authority information comprises user authority level information and authentication failure times information in a preset time length of a user, calculating a ratio of the authentication failure times information in the preset time length to the preset time length, and acquiring evaluation parameters;
the user level comprises a first-level user, a second-level user and a third-level user;
when the user level is a first-level user, and the evaluation parameter is larger than a preset value, degrading the user to a second-level user;
when the user level is a secondary user and the evaluation parameter is larger than a preset value, degrading the user to a tertiary user;
When the user level is three-level users and the evaluation parameter is continuously larger than a preset value and exceeds the preset times, the authorization is stopped;
Authentication is the process of validating the identity of a user, ensuring that only authorized users can access the system. In industrial control systems, authentication generally employs the following methods:
user name and password, the most common authentication method. The user needs to provide a preset user name and password to log in the system. To improve security, the password should be changed periodically, and the password is required to have a certain complexity.
Fingerprint identification, namely, performing identity verification by utilizing fingerprint characteristics of a user. This approach is more secure than user names and passwords because fingerprints are unique and difficult to replicate.
Smart card/token-a user needs to carry a physical device (such as a smart card or token) containing specific information to perform authentication. The device may interact with the system to verify the identity of the user.
Biometric identification, including facial recognition, iris recognition, and other advanced authentication methods. The methods utilize the biological characteristics of the user to carry out identity verification, and have higher security.
Rights management is the process of assigning appropriate access rights and resource usage rights to a user based on his identity and role. In an industrial control system, rights management should follow the following principles:
Minimum rights principle-only the minimum rights required to grant a user to complete his task. This may reduce the risk of potential attacks, since even if an attacker successfully invades the system, they can only access limited resources.
Role separation-separating the rights of different roles (e.g., operators, engineers, administrators, etc.). This can prevent rights abuse and mishandling and improve security of the system.
Permission auditing, periodically auditing the user's permission settings to ensure that they still meet the security policies and business requirements of the organization. If the role or responsibility of the user changes, the authority setting of the user should be updated in time.
Access audit-recording the access activity and operation log of the user for tracking and investigation when security events occur. This helps to find potential safety issues and take corrective action in time.
By implementing effective authentication and rights management policies, the industrial control system can greatly improve its security and stability. Meanwhile, in order to cope with increasingly complex network security threats, organizations should also take other security measures, such as updating software patches periodically, using secure communication protocols, deploying firewalls and intrusion detection systems, etc.;
Preventing unauthorized access authentication ensures that only authorized and authenticated users can access the marine industry control system. This may prevent unauthorized persons, such as hackers, malicious users, or internal unauthorized personnel, from accessing sensitive information or performing malicious operations.
The system security is improved, and the identity verification is an important component of the system security. By verifying the identity of the user, the system can detect and prevent intrusion of a malicious user or attacker, and security vulnerabilities and potential security risks are reduced. This helps to promote the safety of the overall marine industrial control system.
When the second verification fails, namely, no matter what the previous two verification modes are, the biological identification mode is selected to perform the identity verification again, and when the identity verification passes, the user is allowed to use the ship industrial control system, and when the identity verification fails, abnormal warning information of personnel is generated to warn.
The specific process of data encryption is as follows:
selecting a secure transport protocol
First, a suitable secure transport protocol, such as SSL/TLS (secure sockets layer/transport layer security protocol), is selected according to the requirements and security requirements of the marine industrial control system.
Key generation and exchange
Asymmetric key generation, namely, generating a pair of public key and private key respectively in two communication parties (such as a ship control center and a remote terminal).
Key exchange, namely through a secure key exchange protocol (such as Diffie-Hellman key exchange), the two communication parties can exchange key information securely, and the security of subsequent encrypted communication is ensured.
Data encryption
And (3) encrypting the content, namely encrypting the data to be transmitted by using an encryption algorithm (such as AES) negotiated by the two parties. The data herein may include control instructions, status information, sensor data, and the like.
Integrity protection-in addition to data encryption, message Authentication Code (MAC) or digital signature techniques may be employed to ensure data integrity and source reliability.
Data transmission
And establishing an encryption channel, namely establishing an encrypted communication channel between two communication parties based on the SSL/TLS protocol. This channel will ensure confidentiality and integrity of the data during transmission.
And sending the encrypted data, namely sending the encrypted data to a receiver by a sender through an encryption channel.
Data decryption and verification
Receiving encrypted data-the receiving party receives the encrypted data from the encrypted channel.
Decrypting the data, namely decrypting the received encrypted data by a receiver by using the private key of the receiver and the encryption algorithm negotiated before, and restoring the original data.
Data verification, the receiver can also verify the integrity and source reliability of the data according to the message authentication code or the digital signature.
Key updating and management
And the secret key is updated periodically, so that the secret key is required to be updated periodically by both communication parties for further improving the security, and the security risk caused by using the same secret key for a long time is avoided.
And the key management adopts a safe key management method to ensure the safe storage, transmission and updating of the key.
Security audit and monitoring
And security audit and monitoring are carried out on the whole encryption transmission process, so that compliance and security of encryption transmission are ensured.
And timely discovering and coping with potential security threats and attacks.
Through the steps, the ship industrial control system can realize data encryption transmission, and confidentiality, integrity and source reliability of data in the transmission process are ensured, so that the safety of the whole system is improved.
The encrypted transmission can ensure that data in the ship industrial control system is protected in the transmission process, and even if the data is intercepted, unauthorized users cannot decrypt and acquire sensitive information in the data. This greatly improves the security of the data, reducing the risk of data leakage.
The specific process of bug fixes is as follows:
Firstly, performing vulnerability identification and vulnerability classification, namely dividing vulnerabilities in an industrial control system into two main categories, namely software vulnerabilities and hardware vulnerabilities;
evaluating the identified loopholes and determining the severity and the influence range of the identified loopholes;
Performing vulnerability repair by using vulnerability repair software, and timely installing patches and updates released by suppliers aiming at known software vulnerabilities;
Hardware bug repair, namely updating firmware aiming at the firmware problem of hardware equipment;
hardware replacement, namely when the hardware has design defects and cannot be repaired through firmware updating, replacing hardware equipment;
the reinforcement measures are safety isolation, namely, a safety isolation device is adopted to isolate an industrial control system from external networks such as the Internet and the like;
Verifying and testing the repairing effect, namely verifying and testing the repaired system, and completing the vulnerability repairing flow after the verification test is passed.
The specific process of intrusion detection and protection of the control system is as follows:
Intrusion Detection System (IDS) deployment
IDS technology is selected, namely, a proper intrusion detection technology is selected based on the characteristics and the requirements of the ship industrial control system. This may include host-based IDSs, network-based IDSs, or hybrid IDSs.
Deploying IDSs-deploying IDSs at critical locations of the system, such as behind a gateway, firewall, or network segment directly connected to an important server.
Intrusion detection process
Information collection-IDS gathers information from a number of sources, including unexpected changes in system and web logs, directories and files, unexpected behavior in program behavior, and intrusion information in physical form.
Data analysis-IDS analyzes the collected information for possible anomalies or attack signs. This may include pattern matching, statistical analysis, or machine learning techniques.
Abnormality detection and misuse detection, namely, abnormality detection, namely, detecting the behavior which does not accord with a model by establishing the model of normal behavior accessed by a system.
Misuse detection by matching known unacceptable patterns of behavior, a possible attack is detected.
Intrusion response
Alarm generation when the IDS detects a possible intrusion, an alarm notification manager is generated.
Response policy-an administrator takes appropriate response policies based on the alert information, such as disconnecting, logging, notifying relevant personnel, or performing other automated response measures.
Protection strategy
Updating and maintenance the rules repository and engine of the IDS are updated periodically to ensure that it can detect the latest threats.
Network isolation, namely isolating the ship industrial control system from an external network by using a firewall, VPN or other network isolation technology, so as to reduce potential attack surface.
And (4) encryption transmission, namely carrying out encryption transmission on key data, and ensuring confidentiality and integrity of the data in the transmission process.
Access control-implementing strict access control policies including authentication, authorization, and auditing to prevent unauthorized access and operation.
And (3) carrying out safety audit on the ship industrial control system regularly, identifying potential security holes and risks, and timely repairing and improving.
Through the comprehensive application of the steps, the effective intrusion detection and protection of the ship industrial control system can be realized, and the safety and stability of the system are improved;
Real-time threat detection-the intrusion detection system is capable of monitoring network activity of the marine industrial control system in real time, detecting and identifying any potential malicious behavior or threat. Such real-time monitoring can ensure that the first time a threat occurs is responded to, thereby reducing the scope of impact of the security event.
The security of the system is improved, namely, through intrusion detection, the system can identify and prevent unauthorized access, malicious software, phishing and other attack means, so that the data security and the system stability of the ship industrial control system are effectively protected. This can prevent not only data leakage and destruction but also ensure the normal operation of the control system.
The specific process for carrying out safety training on the system user is as follows:
the method comprises the steps of regularly carrying out safety protection test on system users, obtaining system user safety test scores, continuously collecting x times of system user safety test scores, calculating the average value of the rest system user safety test scores after removing the maximum value and the minimum value in the x times of system user safety test scores, namely obtaining the safety training evaluation score of a single person, and generating person training information to prompt the person to carry out safety training when the safety training evaluation score of the single person is smaller than a preset value, wherein x is more than or equal to 10;
Through the process, whether the safety awareness of the system user is in place or not can be known, abnormality can be timely found, and then training prompt is carried out, so that the information safety protection of the ship industrial control system is ensured.
Extracting the collected safety related information, wherein the safety related information comprises the abnormal times of network fluctuation of a ship industrial control system, the times of attack on the network of the ship industrial control system and the times of attack on a database of the ship industrial control system within preset duration;
the method comprises the steps of extracting and marking the abnormal times of network fluctuation of a ship industrial control system in preset time as U1, the times of attack on a ship industrial control system network as U2 and the times of attack on a ship industrial control system database as U3;
giving U1 a correction value Q1, U2 a correction value Q2, U3 a correction value Q3, q1+q2+q3=1, q3> q1> q2;
q1+u by the formula U1 2 q2+u3 q3=uu, namely, obtaining a protection evaluation parameter Uu;
When the protection evaluation parameter Uu is larger than a preset value, generating safety warning information;
through the process, the abnormality of the ship industrial control system can be timely found and accurate warning prompt can be carried out.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (8)

1.一种船舶工业控制系统安全防护方法,其特征在于,包括以下步骤:1. A method for protecting the safety of a ship industrial control system, comprising the following steps: 步骤一:访问控制和权限管理:身份验证,对船舶工业控制系统的用户进行身份验证,身份验证通过即允许访问,同时对采集用户权限信息进行采集并分析进行用户权限控制;Step 1: Access control and authority management: identity authentication, to authenticate the users of the ship industrial control system. If the identity authentication is passed, access is allowed. At the same time, the user authority information is collected and analyzed to control the user authority. 步骤二:数据加密,对工业控制系统中的数据进行传输加密;Step 2: Data encryption, encrypting the data in the industrial control system during transmission; 步骤三:漏洞修复,检查船舶工业控制系统的漏洞进行补丁更新,修复漏洞;Step 3: Vulnerability repair, check the vulnerabilities of the ship industrial control system, update the patches, and repair the vulnerabilities; 步骤四:对控制系统进行入侵检测和防护;Step 4: Perform intrusion detection and protection on the control system; 步骤五:对系统使用人员进行安全培训和管理;Step 5: Provide security training and management for system users; 步骤六:定期进行船舶工业控制系统安全相关信息采集,并对安全相关信息进行分析,获取到安全警示信息。Step 6: Regularly collect information related to the safety of ship industrial control systems, analyze the safety-related information, and obtain safety warning information. 2.根据权利要求1所述的一种船舶工业控制系统安全防护方法,其特征在于:所述对船舶工业控制系统的用户进行身份验证的验证方式包括:用户名和密码、指纹识别、智能卡/令牌与生物识别;2. A method for protecting the safety of a ship industrial control system according to claim 1, characterized in that: the authentication method for the user of the ship industrial control system includes: user name and password, fingerprint recognition, smart card/token and biometric recognition; 所述身份验证的具体过程如下:用户根据实际状况选择用户名和密码、指纹识别、智能卡/令牌与生物识别中的任意一种先进行初次识别;The specific process of the identity authentication is as follows: the user selects any one of the following according to the actual situation: a user name and password, fingerprint recognition, smart card/token and biometric recognition for initial recognition; 初次识别通过之后,从用户名和密码、指纹识别、智能卡/令牌与生物识别中选取任意一个除初次识别方式外的方式进行二次,二次验证通过即生成身份验证通过信息允许该用户使用船舶工业控制系统;After the initial identification is passed, any one of the following methods except the initial identification method is selected from the user name and password, fingerprint identification, smart card/token and biometric identification for a second identification. If the second identification is passed, the identity authentication information is generated to allow the user to use the ship industrial control system; 所述用户权限控制的具体过程如下:提取出采集到的用户权限信息,用户权限信息包括用户权限级别信息与用户预设时长内的身份验证不通过次数信息,计算出预设时长内的身份验证不通过次数信息与预设时长的比值,获取到评估参数;The specific process of the user authority control is as follows: extracting the collected user authority information, the user authority information including the user authority level information and the number of identity authentication failures within the preset time period, calculating the ratio of the number of identity authentication failures within the preset time period to the preset time period, and obtaining the evaluation parameters; 用户级别包括一级用户、二级用户与三级用户;User levels include primary users, secondary users, and tertiary users; 当用户级别为一级用户,评估参数大于预设值时,即将该用户降级为二级用户;When the user level is a first-level user and the evaluation parameter is greater than the preset value, the user will be downgraded to a second-level user; 当用户级别为二级用户,评估参数大于预设值时,即将该用户降级为三级用户;When the user level is a level 2 user and the evaluation parameter is greater than the preset value, the user will be downgraded to a level 3 user; 当用户级别为三级用户,评估参数连续大于预设值时超过预设次数时,即停止对其授权。When the user level is a third-level user and the evaluation parameter is continuously greater than the preset value for more than the preset number of times, the authorization will be stopped. 3.根据权利要求2所述的一种船舶工业控制系统安全防护方法,其特征在于:当二次验证不通过时,即无论前两次验证方式为何种方式,都选定生物识别方式再次进行一次身份验证,当该身份验证通过时,即也允许该用户使用船舶工业控制系统,当该身份验证不通过,即生成人员异常警示信息,进行警示。3. A ship industrial control system security protection method according to claim 2, characterized in that: when the secondary verification fails, no matter what the first two verification methods are, the biometric recognition method is selected to perform identity authentication again. When the identity authentication passes, the user is also allowed to use the ship industrial control system. When the identity authentication fails, a personnel abnormal warning message is generated to issue a warning. 4.根据权利要求1所述的一种船舶工业控制系统安全防护方法,其特征在于:所述数据加密的具体过程如下:4. A method for protecting the safety of a ship industrial control system according to claim 1, characterized in that the specific process of data encryption is as follows: 选择安全传输协议,根据船舶工业控制系统的需求和安全性要求,选择适合的安全传输协议;Select a secure transmission protocol. Select a suitable secure transmission protocol based on the needs and security requirements of the ship's industrial control system; 密钥生成与交换,非对称密钥生成:在通信双方中,各自生成一对公钥和私钥;Key generation and exchange, asymmetric key generation: Each of the communicating parties generates a pair of public and private keys; 密钥交换:通过安全的密钥交换协议,通信双方可以安全地交换密钥信息,确保后续加密通信的安全性;Key exchange: Through a secure key exchange protocol, both parties can exchange key information securely, ensuring the security of subsequent encrypted communications; 数据加密:内容加密,使用双方协商好的加密算法,将待传输的数据进行加密处理,加密内容包括控制指令、状态信息、传感器数据;Data encryption: content encryption, using the encryption algorithm agreed upon by both parties to encrypt the data to be transmitted. The encrypted content includes control instructions, status information, and sensor data; 完整性保护:除了数据加密外,还采用消息认证码或数字签名技术来进行数据的完整性保护;Integrity protection: In addition to data encryption, message authentication code or digital signature technology is also used to protect the integrity of data; 建立加密通道进行数据传输:基于SSL/TLS协议,在通信双方之间建立加密的通信通道后,通过加密通道,发送方将加密后的数据发送给接收方;Establish an encrypted channel for data transmission: Based on the SSL/TLS protocol, after an encrypted communication channel is established between the two communicating parties, the sender sends the encrypted data to the receiver through the encrypted channel; 进行数据解密与验证,接收加密数据,接收方从加密通道中接收到加密的数据,之后进行解密数据,使用自己的私钥和之前协商好的加密算法,接收方对接收到的加密数据进行解密,还原出原始数据,最后进行数据验证:接收方还可以根据消息认证码或数字签名来验证数据的完整性和来源可靠性。Perform data decryption and verification, receive encrypted data, the receiver receives the encrypted data from the encrypted channel, and then decrypts the data. Using its own private key and the previously negotiated encryption algorithm, the receiver decrypts the received encrypted data, restores the original data, and finally verifies the data: the receiver can also verify the integrity and source reliability of the data based on the message authentication code or digital signature. 5.根据权利要求1所述的一种船舶工业控制系统安全防护方法,其特征在于:所述漏洞修复的具体过程如下:5. A method for protecting the safety of a ship industrial control system according to claim 1, characterized in that: the specific process of repairing the vulnerability is as follows: 先进行漏洞识别和漏洞分类:将工业控制系统中的漏洞分为软件漏洞和硬件漏洞两大类;First, vulnerability identification and vulnerability classification are carried out: the vulnerabilities in industrial control systems are divided into two categories: software vulnerabilities and hardware vulnerabilities; 漏洞评估:对识别出的漏洞进行评估,确定其严重程度和影响范围;Vulnerability assessment: Evaluate identified vulnerabilities to determine their severity and scope of impact; 使用漏洞修复软件进行漏洞修复,针对已知的软件漏洞,及时安装供应商发布的补丁和更新;Use vulnerability repair software to repair vulnerabilities and promptly install patches and updates released by vendors for known software vulnerabilities; 硬件漏洞修复:针对硬件设备的固件问题进行固件更新;Hardware vulnerability repair: Firmware updates are performed for firmware issues of hardware devices; 硬件替换:当硬件存在设计缺陷且无法通过固件更新修复,进行硬件设备更换;Hardware replacement: When the hardware has design defects that cannot be fixed by firmware updates, the hardware device is replaced; 加固措施安全隔离:采用安全隔离装置将工业控制系统与外部网络隔离;Reinforcement measures Security isolation: Use security isolation devices to isolate the industrial control system from the external network; 验证与测试验证修复效果:对修复后的系统进行验证和测试,验证测试通过后完成漏洞修复流程。Verification and testing verify the repair effect: verify and test the repaired system, and complete the vulnerability repair process after the verification test passes. 6.根据权利要求1所述的一种船舶工业控制系统安全防护方法,其特征在于:所述对控制系统进行入侵检测和防护的具体过程如下:6. A method for protecting the safety of a ship industrial control system according to claim 1, characterized in that the specific process of intrusion detection and protection of the control system is as follows: 先进行入侵检测系统部署,选择IDS技术,基于船舶工业控制系统的特点和需求,选择入侵检测技术,入侵检测技术内容包括基于主机的IDS、基于网络的IDS或混合IDS;First, deploy the intrusion detection system and select IDS technology. Based on the characteristics and needs of the ship industrial control system, select the intrusion detection technology. The intrusion detection technology includes host-based IDS, network-based IDS or hybrid IDS. 部署IDS:在系统的预设位置部署IDS;Deploy IDS: Deploy IDS at the preset location of the system; 信息收集:IDS从多个来源收集信息,包括系统和网络日志、目录和文件中不期待的改变、程序行为中不期待的行为以及物理形式的入侵信息;Information collection: IDS collects information from multiple sources, including system and network logs, unexpected changes in directories and files, unexpected behavior in program behavior, and physical intrusion information; 数据分析:IDS分析收集到的信息,寻找异常或攻击迹象,异常或攻击迹象包括模式匹配、统计分析或机器学习技术;Data analysis: IDS analyzes the collected information to look for anomalies or signs of attack, which may include pattern matching, statistical analysis, or machine learning techniques; 在进行异常检测与误用检测,异常检测:通过建立一个系统访问正常行为的模型,检测不符合该模型的行为;In anomaly detection and misuse detection, anomaly detection: by establishing a model of normal system access behavior, detect behaviors that do not conform to the model; 误用检测:通过匹配已知的不可接受的行为模式,检测可能的攻击;Misuse detection: Detects possible attacks by matching known unacceptable behavior patterns; 入侵响应,警报生成:当IDS检测到入侵时,生成警报通知管理员;Intrusion response, alert generation: When the IDS detects an intrusion, it generates an alert to notify the administrator; 响应策略:管理员根据警报信息,采取适当的响应策略;Response strategy: The administrator takes appropriate response strategies based on the alarm information; 防护策略更新与维护:定期更新IDS的规则库和引擎;Protection strategy update and maintenance: Regularly update the IDS rule base and engine; 网络隔离:使用网络隔离技术,将船舶工业控制系统与外部网络隔离;Network isolation: Use network isolation technology to isolate the ship's industrial control system from the external network; 安全审计:定期对船舶工业控制系统进行安全审计,识别潜在的安全漏洞和风险,并进行修复和改进。Security Audit: Regularly conduct security audits on ship industrial control systems to identify potential security vulnerabilities and risks, and make repairs and improvements. 7.根据权利要求1所述的一种船舶工业控制系统安全防护方法,其特征在于:所述对系统使用人员进行安全培训的具体过程如下:7. A method for protecting the safety of a ship industrial control system according to claim 1, characterized in that: the specific process of conducting safety training for system users is as follows: 定期对系统使用人员进行安全防护测试,获取到系统使用人员安全测试评分,连续采集x次系统使用人员安全测试评分,去除掉x次系统使用人员安全测试评分中的最大值和最小值后,计算出剩余的系统使用人员安全测试评分的均值,即获取到单个人员的安全培训评估分,当单个人员的安全培训评估分小于预设值时,即生成人员培训信息发送给该人员提示该人员进行安全培训。Conduct security protection tests on system users regularly to obtain their security test scores. Continuously collect x security test scores of system users, remove the maximum and minimum values of the x security test scores of system users, and then calculate the average of the remaining security test scores of system users, that is, obtain the security training assessment score of a single person. When the security training assessment score of a single person is less than the preset value, generate personnel training information and send it to the person to prompt him or her to undergo security training. 8.根据权利要求1所述的一种船舶工业控制系统安全防护方法,其特征在于:对安全相关信息进行分析,获取到安全警示信息的具体过程如下:提取出采集到的安全相关信息,安全相关信息包括预设时长内的船舶工业控制系统的网络波动异常次数、船舶工业控制系统网络遭受到攻击的次数与船舶工业控制系统数据库受到攻击的次数;8. A ship industrial control system security protection method according to claim 1, characterized in that: the specific process of analyzing the security related information and obtaining the security warning information is as follows: extracting the collected security related information, the security related information including the number of abnormal network fluctuations of the ship industrial control system within a preset time, the number of attacks on the ship industrial control system network and the number of attacks on the ship industrial control system database; 提取出将预设时长内的船舶工业控制系统的网络波动异常次数标记为U1、船舶工业控制系统网络遭受到攻击的次数标记为U2、船舶工业控制系统数据库受到攻击的次数标记为U3;Extract and mark the number of abnormal network fluctuations of the ship industrial control system within a preset time as U1, the number of times the ship industrial control system network is attacked as U2, and the number of times the ship industrial control system database is attacked as U3; 赋予U1一个修正值Q1、U2一个修正值Q2、U3一个修正值Q3,Q1+Q2+Q3=1,Q3>Q1>Q2;Assign a correction value Q1 to U1, a correction value Q2 to U2, and a correction value Q3 to U3, Q1+Q2+Q3=1, Q3>Q1>Q2; 通过公式U1*Q1+U2*Q2+U3*Q3=Uu,即获取到防护评估参数Uu;Through the formula U1*Q1+U2*Q2+U3*Q3=Uu, the protection assessment parameter Uu is obtained; 当防护评估参数Uu大于预设值时,即生成安全警示信息。When the protection assessment parameter Uu is greater than the preset value, a safety warning message is generated.
CN202510031120.6A 2025-01-09 2025-01-09 A safety protection method for ship industrial control system Pending CN119475359A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510031120.6A CN119475359A (en) 2025-01-09 2025-01-09 A safety protection method for ship industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510031120.6A CN119475359A (en) 2025-01-09 2025-01-09 A safety protection method for ship industrial control system

Publications (1)

Publication Number Publication Date
CN119475359A true CN119475359A (en) 2025-02-18

Family

ID=94569833

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510031120.6A Pending CN119475359A (en) 2025-01-09 2025-01-09 A safety protection method for ship industrial control system

Country Status (1)

Country Link
CN (1) CN119475359A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040035572A (en) * 2002-10-22 2004-04-29 최운호 Integrated Emergency Response System in Information Infrastructure and Operating Method therefor
CN117688529A (en) * 2023-11-09 2024-03-12 南通海洲电气成套设备有限公司 Control box system for wharf ship
CN118748604A (en) * 2024-06-19 2024-10-08 南京苏润科技发展有限公司 A method for constructing a network security defense system for a remotely operated ship lock

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20040035572A (en) * 2002-10-22 2004-04-29 최운호 Integrated Emergency Response System in Information Infrastructure and Operating Method therefor
CN117688529A (en) * 2023-11-09 2024-03-12 南通海洲电气成套设备有限公司 Control box system for wharf ship
CN118748604A (en) * 2024-06-19 2024-10-08 南京苏润科技发展有限公司 A method for constructing a network security defense system for a remotely operated ship lock

Similar Documents

Publication Publication Date Title
CN114978584B (en) Network security protection security method and system based on unit units
CN117390656B (en) Security management method and system for encryption equipment
Abou el Kalam Securing SCADA and critical industrial systems: From needs to security mechanisms
Boyer et al. Ideal based cyber security technical metrics for control systems
CN114598540A (en) Access control system, method, device and storage medium
CN118018277A (en) A computer information security intelligent monitoring method and system
CN112597462A (en) Industrial network safety system
Almaiah et al. Classification of Cybersecurity Threats, Vulnerabilities and Countermeasures in Database Systems.
CN119728211A (en) An unmanned inspection and intelligent fault judgment method
CN117763580A (en) Authorization management method, device, electronic equipment and storage medium
Jariwala The Cyber Security Roadmap A Comprehensive Guide to Cyber Threats, Cyber Laws, and Cyber Security Training for a Safer Digital World
CN117763525A (en) Mobile terminal information safety protection system and method
CN113422776A (en) Active defense method and system for information network security
CN116723048A (en) Communication system and method in local area network
Yang et al. Cybersecurity analysis of wind farm industrial control system based on hierarchical threat analysis model framework
Kujo Implementing zero trust architecture for identities and endpoints with Microsoft tools
CN120017380A (en) A power information security system and method
CN118972112A (en) A factory system data interaction safety system
CN118503963A (en) Intelligent protection method for photovoltaic inverter
CN117195235A (en) User terminal access trusted computing authentication system and method
CN119475359A (en) A safety protection method for ship industrial control system
CN119989413B (en) Dynamic data encryption and desensitization method for data security gateway
Conte de Leon et al. Cybersecurity
CN115225415B (en) Password application platform for new energy centralized control system and monitoring and early warning method
Gopireddy et al. Post-breach data Security: Strategies for recovery and future protection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20250218