阅读说明：本技术 一种综合态势管控系统 (Comprehensive situation management and control system ) 是由 翁小平 何琳 李峻海 张金涛 范华兵 于 2020-05-07 设计创作，主要内容包括：本发明提供了一种可用于新材料控制系统的综合态势管控系统。利用单向采集网关从现场接入交换机上采集流量,进行预处理后发送到综合安全态势感知系统,以进行基于态势感知的工控安全事件分析,以获得系统中设备信息和安全事件信息,发送给事件处理网关。事件处理网关根据设备信息从设备管理系统中获取该设备的管理员和操作员信息,通过工单处理系统把安全事件直接发送给管理人员进行处理,同时通过事件通知系统发送给管理人员进行告警。管理人员对事件进行处理后,由工单处理系统中返回处理结果,事件处理网关确认事件已经处置完成后,通过事件通知系统发送消息给管理人员通知事件处理结果。(The invention provides a comprehensive situation management and control system for a new material control system. And acquiring flow from the field access switch by using the unidirectional acquisition gateway, preprocessing the flow and then sending the flow to the comprehensive security situation sensing system so as to analyze industrial control security events based on situation sensing, so as to obtain equipment information and security event information in the system and send the information to the event processing gateway. The event processing gateway acquires the information of the administrator and the operator of the equipment from the equipment management system according to the equipment information, directly sends the security event to the administrator for processing through the work order processing system, and simultaneously sends the security event to the administrator for alarming through the event notification system. And after the event processing gateway confirms that the event is processed, the event notification system sends a message to the manager to notify the event processing result.)

1. A system, characterized by comprising:

the comprehensive security situation perception system is used for associating the equipment information of the detected security event when the security event is detected according to the field flow data; and/or

And the event processing gateway is used for informing a corresponding manager of the equipment to process according to the equipment information.

2. The system of claim 1, further comprising:

the unidirectional acquisition gateway is used for acquiring field flow and/or preprocessing the field flow to send the field flow to the comprehensive security situation perception system for security event detection; and/or

The equipment management system is used for storing the manager information of the equipment and/or the information of the equipment; and/or

The work order processing system is used for sending the safety event to the manager for processing and/or returning a processing result; and/or

An event notification system for notifying the manager of the security event and/or notifying the manager of a result of confirming that the security event has been disposed of; and/or

A field control system; and/or

A field operator station; and/or

Entering a switch; and/or

A centralized control engineer station; and/or

A centralized control operator station.

3. The system of claim 2, wherein the event processing gateway is coupled to one or more of the integrated security posture awareness system, a device management system, a work order processing system, and/or the event notification system for:

querying a device management system for the administrator information and/or the device information stored by the device management system based on device information received from an integrated security posture awareness system,

and/or comparing whether the equipment information obtained by the comprehensive security situation perception system is consistent with the corresponding equipment information in the equipment management system to check the equipment information and/or

Sending the security event to a manager for processing by a work order processing system, and/or

Sending security events to a manager for alerting via an event notification system, and/or

When the equipment information checking result is inconsistent, equipment information exception prompt is carried out, and/or

Feeding back new equipment or illegal equipment access options of managers returned by the work order processing system to the comprehensive security situation perception system and/or

Feeding back the processing result of the manager returned by the work order processing system to the comprehensive security situation perception system and/or

Responsive to the integrated security posture awareness system confirming that the security event has processed the shutdown security event, and/or

And sending an updating request to the equipment management system to update the equipment information according to the updating instruction returned by the work order processing system.

4. The system of claim 3, wherein the integrated security posture awareness system is further configured to:

identify the device information for transmission to the event processing gateway, and/or

Detecting and/or processing according to the processing result fed back by the event processing gateway, and/or

Marking the processed event according to the processing result fed back by the event processing gateway, confirming that the event has been processed, and/or

Generating an illegal device access security event according to the illegal device access option fed back by the event processing gateway, and/or

When the re-occurrence of the security event similar to the marked processed event is detected, the original event is correlated, and/or the security event processing flow is opened again, and/or the handling suggestion is sent to the manager through the event processing gateway.

5. System according to claims 1 to 4, characterized in that the device information comprises an Internet protocol address of the device, a device name, a device type, an operating system type, operating system version information, and/or an event type.

6. An event processing gateway, characterized in that the event processing gateway is configured to:

sending the detected security event to corresponding manager for processing, and/or

And sending the detected safety event to a manager for warning.

7. The event processing gateway of claim 6, wherein the event processing gateway is further configured to:

querying according to the received device information to obtain the stored manager information and/or the device information,

and/or by comparing the received device information with the stored corresponding device information for checking the device information and/or

Sending the security event to a manager for processing, and/or

Sending security events to management personnel for alerting, and/or

When the equipment information checking result is inconsistent, equipment information exception prompt is carried out, and/or

Feedback of new or offending device access options returned by the manager, and/or

Feedback of processing results returned by the manager, and/or

Responsive to confirming that the security event has handled a shutdown security event, and/or

And sending an updating request to update the stored equipment information according to the updating instruction returned by the manager.

8. An integrated security posture awareness system, wherein the integrated security posture awareness system is configured to:

detecting a safety event according to the field flow data; and/or

Upon detecting a security event, device information of the detected security event is associated.

9. The integrated security posture awareness system of claim 8, wherein said integrated security posture awareness system is further configured to:

detecting safety events based on collected field flow data, and/or

Identifying the device information, to associate the device information with the security event, and/or

Detecting and/or processing according to the feedback processing result, and/or

Marking the processed event according to the feedback processing result, confirming that the processed event is processed, and/or

Generating an access security event of the illegal device according to the fed access option of the illegal device, and/or

Upon detecting the re-occurrence of a security event of the same kind as the marked processed event, the original event is correlated, and/or the security event processing flow is re-opened, and/or a disposition recommendation is sent to a manager.

10. A work order processing system, wherein the work order processing system is configured to:

for receiving a security event processing request; and/or

Transmitting the security event processing request to a manager corresponding to the device information in the security event processing request;

and updating the processing result of the administrator, and/or equipment information updating instructions, and/or new equipment or illegal equipment confirmation information.

11. A method, characterized by comprising:

associating device information of the detected security event when the security event is detected according to the field flow data; and/or

And informing a corresponding manager of the equipment to process according to the equipment information.

12. The method of claim 11, further comprising:

collecting field flow data and/or preprocessing to detect safety events; and/or

Storing manager information of the equipment and/or information of the equipment; and/or

Sending the security event to the manager for processing and/or returning a processing result; and/or

Notifying the manager of the security event and/or notifying the manager of a result of confirming that the security event has been disposed of.

13. The method of claim 11 or 12, further comprising:

querying according to the received device information to obtain the stored manager information and/or the device information,

and/or by comparing the received device information with the stored corresponding device information for checking the device information and/or

Sending the security event to a manager for processing, and/or

Sending security events to management personnel for alerting, and/or

When the equipment information checking result is inconsistent, equipment information exception prompt is carried out, and/or

Feedback of new or offending device access options returned by the manager, and/or

Feedback of processing results returned by the manager, and/or

Responsive to confirming that the security event has handled a shutdown security event, and/or

And sending an updating request to update the equipment information according to the updating instruction returned by the manager.

14. The method of claim 13, further comprising:

detecting safety events based on collected field flow data, and/or

Identifying the device information, to associate the device information with the security event, and/or

Detecting and/or processing according to the feedback processing result, and/or

Marking the processed event according to the feedback processing result, confirming that the processed event is processed, and/or

Generating an access security event of the illegal device according to the fed access option of the illegal device, and/or

Upon detecting the re-occurrence of a security event of the same kind as the marked processed event, the original event is correlated, and/or the security event processing flow is re-opened, and/or a disposition recommendation is sent to a manager.

15. A non-transitory machine-readable storage medium comprising one or more instructions that in response to being executed result in one or more processors performing one or more steps of a method as recited in any of claims 11-14 above.

16. A computing device comprising one or more processors; one or more memories coupled with the one or more processors for storing one or more instructions, wherein the one or more processors, in response to being executed, cause the one or more processors to perform one or more steps of the method of any of claims 11-14 above.

Technical Field

The invention relates to the technical field of security situation perception and management and control, in particular to a comprehensive situation management and control system and method for a new material control system.

Background

The existing situation awareness technology mainly focuses on technologies such as security situation analysis, active detection, industrial control intranet security audit, big data security event analysis, user and entity behavior analysis, industrial control external network passive monitoring, and macroscopic situation comprehensive analysis study and judgment, but for the aspect of processing security situation awareness security events, due to the lack of an effective closed-loop management technology, how to perform comprehensive management and control after a security event is found in the existing situation awareness technology is still lack of an effective means.

Because the existing situation awareness system is re-analyzed and lightly processed, the existing industrial control situation awareness system cannot be well integrated with a digital intelligent manufacturing system, and the handling capacity of safety events is difficult to improve.

With the rapid development of industrial digitization, networking and intellectualization, the security holes of industrial control systems are continuously increased, and the new challenges of rapid penetration of security threats, complex and various attack means and the like are faced. In recent years, industrial information security incidents frequently occur, and many industrial fields such as metallurgy, energy, electric power, natural gas, communication, transportation, pharmacy and the like are continuously subjected to security attacks. With the progress of intelligent manufacturing, system fusion and interconnection and intercommunication become trends, and industrial control information safety is of great importance. The new material intelligence manufacturing industry is a high-risk industry, and safe and stable operation is the fundamental requirement, and this industry industrial control system's safety level is lower, and the protection is not enough, and it is big to promote the space. Along with the evolution of intelligent manufacturing, system fusion and interconnection and intercommunication become trends, and industrial control information safety is of great importance.

Disclosure of Invention

One objective of the present invention is to provide a comprehensive state potential management and control system and method for a new material control system.

According to one aspect of the present invention, there is provided a system comprising an integrated security situation awareness system for associating device information of a detected security event upon detection of the security event from field traffic data; and/or the event processing gateway is used for informing corresponding managers of the equipment to process according to the equipment information.

The system according to the above aspect of the present invention further comprises a unidirectional acquisition gateway, configured to acquire field traffic and/or perform preprocessing, so as to send the acquired field traffic to the integrated security situation awareness system for security event detection; and/or an equipment management system for storing manager information of the equipment and/or information of the equipment; and/or a work order processing system, which is used for sending the safety event to the manager for processing and/or returning a processing result; and/or an event notification system for notifying the manager of the security event and/or notifying the manager of a result of confirming that the security event has been handled; and/or an on-site control system; and/or a field operator station; and/or into a switch; and/or a centralized control engineer station; and/or a centralized operator station.

According to the system of the above aspect of the invention, the event processing gateway is coupled to one or more of the integrated security situation awareness system, the device management system, the work order processing system, and/or the event notification system, for querying the device management system according to the device information received from the integrated security situation awareness system to obtain the administrator information and/or the device information stored by the device management system, and/or for checking the device information by comparing whether the device information obtained by the integrated security situation awareness system is consistent with the corresponding device information in the device management system, and/or for sending the security event to the administrator for processing through the work order processing system, and/or for sending the security event to the administrator for warning through the event notification system, and/or when the equipment information checking result is inconsistent, equipment information exception prompting is carried out, and/or new equipment or illegal equipment access options of the managers returned by the work order processing system are fed back to the comprehensive safety situation perception system, and/or the processing result of the managers returned by the work order processing system is fed back to the comprehensive safety situation perception system, and/or

Responsive to the integrated security situation awareness system confirming that the security event has processed the shutdown security event, and/or

And sending an updating request to the equipment management system for updating the equipment information according to the updating instruction returned by the work order processing system.

According to the system of the above aspect of the present invention, the integrated security situation awareness system is further configured to identify the device information to send to the event processing gateway, and/or detect and/or process according to a processing result fed back by the event processing gateway, and/or mark a processed event according to a processing result fed back by the event processing gateway, confirm that the processed event has been processed, and/or generate an illegal device access security event according to an illegal device access option fed back by the event processing gateway, and/or upon detecting that a security event of the same kind as the marked processed event occurs again, associate an original event, and/or open a security event processing flow again, and/or send a handling recommendation to an administrator through the event processing gateway.

According to the system of the above aspect of the present invention, the device information includes an internet protocol address, a device name, a device type, an operating system type, operating system version information, and/or an event type of the device.

According to another aspect of the present invention, there is provided an event processing gateway configured to send a detected security event to a corresponding manager for processing and/or send the detected security event to a manager for alerting.

The event processing gateway according to the above aspect of the present invention is further configured to perform an inquiry according to the received device information to obtain the stored administrator information and/or the stored device information, and/or to check the device information by comparing whether the received device information and the stored corresponding device information are consistent, and/or to send the security event to an administrator for processing, and/or to send the security event to the administrator for warning, and/or to send a device information exception prompt when the device information check result is inconsistent, and/or to feed back a new device or an illegal device access option returned by the administrator, and/or to feed back a processing result returned by the administrator, and/or to close the security event in response to confirming that the security event has been processed, and/or sending an updating request to update the stored equipment information according to an updating instruction returned by the management personnel.

In accordance with yet another aspect of the present invention, there is provided an integrated security situation awareness system configured for security event detection based on field flow data; and/or device information that associates the detected security event when the security event is detected.

The integrated security situation awareness system according to the above aspect of the present invention is further configured to perform security event detection based on the collected field flow data, and/or identify the device information, to correlate the device information with the security event, and/or to detect and/or process according to the processing result of the feedback, and/or marking the processed event according to the feedback processing result, confirming that the processed event is processed, and/or generating an illegal device access security event according to the fed illegal device access option, and/or upon detecting the re-occurrence of a security event of the same kind as the marked processed event, correlating the original event, and/or reopen the security event processing flow and/or send disposal recommendations to the manager.

In accordance with yet another aspect of the present invention, a work order processing system is provided, the work order processing system configured for receiving a security event processing request; and/or sending the security event processing request to a manager corresponding to the equipment information in the security event processing request; and/or updating the processing result of the administrator, and/or equipment information updating instructions, and/or new equipment or illegal equipment confirmation information.

In accordance with another aspect of the present invention, there is provided a method comprising upon detecting a security event from field flow data, associating device information of the detected security event; and/or notifying corresponding management personnel of the equipment to process according to the equipment information.

The method according to the above aspect of the present invention further comprises collecting field flow data and/or performing preprocessing for security event detection; and/or storing manager information of the equipment and/or information of the equipment; and/or sending the security event to the manager for processing and/or returning a processing result; and/or notifying the manager of the security event and/or notifying the manager of a result of confirming that the security event has been handled.

The method according to the above aspect of the present invention further comprises querying the received device information to obtain the stored manager information and/or the stored device information, and/or comparing whether the received device information and the stored corresponding device information are consistent or not to check the device information, and/or sending the security event to the manager for processing, and/or sending the security event to the manager for warning, and/or when the device information check result is inconsistent, performing a device information exception prompt, and/or feeding back a new device or illegal device access option returned by the manager, and/or feeding back a processing result returned by the manager, and/or closing the security event in response to confirming that the security event has been processed, and/or according to an update instruction returned by the manager, and sending an updating request to update the equipment information.

The method according to the above aspect of the present invention further includes performing security event detection according to the collected field flow data, and/or identifying the device information, to associate the device information with the security event, and/or performing detection and/or processing according to the fed back processing result, and/or marking the processed event according to the fed back processing result, confirming that the processed event has been processed, and/or generating an illegal device access security event according to the fed back illegal device access option, and/or upon detecting that a security event similar to the marked processed event occurs again, associating the original event, and/or opening a security event processing flow again, and/or sending a disposal suggestion to a manager.

According to yet another aspect of the invention, there is provided a non-transitory machine-readable storage medium comprising one or more instructions that in response to being executed result in one or more processors performing one or more steps of a method as in the above aspects.

In accordance with yet another aspect of the present invention, a computing device is provided, comprising one or more processors; one or more memories coupled with the one or more processors for storing one or more instructions, wherein the one or more memories in response to being executed cause the one or more processors to perform one or more steps of a method as claimed above aspect.

According to the above aspect of the present invention, since the system of the present invention collects data in the field control system using the unidirectional collection gateway, correlates asset information of an event after a security event is detected, and checks using information of the event processing gateway and the equipment management system, it is helpful to detect a change of asset information in the equipment management system and update asset information in the asset library at the same time.

According to the above aspect of the present invention, since the information of the equipment administrator or the responsible person of the equipment management system is queried, the relevant person can be notified in time to perform the event processing through the work order management system and the event notification system, thereby improving the response time and the handling efficiency of the event.

According to the above aspects of the invention, because the event processing gateway utilizes a standard interactive interface, the event processing gateway can be closely combined with the existing digital intelligent system of an industrial production enterprise to achieve timely and effective closed-loop processing of the security event, and meanwhile, through being combined with the digital intelligent manufacturing system, the detection accuracy of the security situation perception system and the accuracy of the asset information can be improved.

According to the aspects of the invention, by timely notifying the administrator and the operator, the event can be notified to the security administrator or the management layer, so that the security awareness education is performed on the enterprise staff, the floor execution of the security management system is improved, and the security management level of the new material control system is continuously improved.

According to the aspects of the invention, the situations of reanalysis and light processing of the existing situation perception system are solved through the security situation perception and the security event handling, the closed-loop security event management is realized through the security event handling gateway, the defect that the existing industrial control situation perception system cannot be well integrated with a digital intelligent manufacturing system is overcome, and the handling capacity of the security event is improved.

Drawings

FIG. 1 schematically illustrates an example of a system according to an embodiment of the invention;

FIG. 2 schematically illustrates a flow diagram of one example of a method in accordance with one embodiment of the invention;

FIG. 3 schematically illustrates a flow chart of one example of a method according to one embodiment of the invention;

FIG. 4 schematically illustrates a flow chart of one example of a method according to one embodiment of the invention;

FIG. 5 schematically illustrates a flow chart of one example of a method according to one embodiment of the invention;

fig. 6 schematically shows a block diagram of an example of an apparatus according to an embodiment of the invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Although the following description sets forth various implementations that may be shown, for example, in a system architecture, implementations of the techniques and/or arrangements described herein are not limited to a particular system architecture and/or computing system and may be implemented by any architecture and/or computing system for similar purposes. For example, various architectures and/or various computing devices and/or electronic devices employing, for example, one or more integrated circuit chips and/or packages, may implement the techniques and/or arrangements described herein. Furthermore, although the following description may set forth numerous specific details (e.g., logical implementations, types and interrelationships of system components, logical partitioning/integration choices, etc.), claimed subject matter may be practiced without these specific details. In other instances, some materials (e.g., control structures and complete software instruction sequences) may not be shown in detail in order not to obscure the material disclosed herein. The materials disclosed herein may be implemented in hardware, firmware, software, or any combination thereof.

The materials disclosed herein may also be implemented as instructions stored on a machine-readable medium or memory that may be read and executed by one or more processors. A computer-readable medium may include any medium and/or mechanism for storing or transmitting information in a form readable by a machine (e.g., a computing device). For example, a machine-readable medium may include Read Only Memory (ROM), Random Access Memory (RAM), magnetic disk storage media; an optical storage medium; a flash memory device; and/or other media. In another form, a non-transitory article (e.g., a non-transitory computer readable medium) may be used for any of the above-mentioned examples or other examples, including such elements (e.g., RAM, etc.) that may temporarily store data in a "transient" manner.

FIG. 1 shows an example of a system according to an embodiment of the invention. According to one embodiment of the present invention, the system 100 may include an integrated situation management system that may be used in a new material control system. As shown in FIG. 1, in one embodiment, the system 100 may include a field control system 102, a field operator station 104, an access switch 106, a unidirectional acquisition gateway 108, a centralized monitoring center 110, a device management system 120, a work order management system 130, and/or an event notification system 140, among others.

In one embodiment, the system 100 may deploy a unidirectional acquisition gateway 108 to acquire traffic from the on-site access switch 106, and send the traffic to the integrated security situation awareness system 118 at the centralized monitoring center 110 after preprocessing by the unidirectional acquisition gateway 108 computing module. After the comprehensive security situation awareness system 118 performs situation awareness-based industrial control security event analysis, the event processing gateway 116 is used to perform subsequent processing such as security event warning on the discovered security event.

For example, the integrated security situation awareness system 118 may obtain device information and security event information in the new material control system during the analysis process and send the device information and security event information to the event processing gateway 116. The event processing gateway 116 may obtain the administrator and operator information of the device from the device management system 120 according to the device information, send the security event to the administrator or operator directly through the work order processing system 130 for processing, and send the security event to the administrator or operator through the event notification system 140 for warning.

After the corresponding manager processes the event, the processing result is returned to the work order processing system 130. After the event processing gateway 116 confirms that the event has been handled, it sends a message to the corresponding administrator through the event notification system 140 to notify the event processing result.

Referring to FIG. 1, the centralized monitoring center 110 may include a centralized control engineer station 112, a centralized control operator station 114, an event handling gateway 116, and/or an integrated security posture awareness system 118, among others. In one embodiment, the data in the field control system 102 and/or the field operator station 104 may be collected via the entry switch 106 using the unidirectional collection gateway 108. When the integrated security situation awareness system 118 detects a security event by analyzing the data, the asset (or device) information of the associated event is checked with the information of the device management system 120 by the event processing gateway 116 to detect a change of the asset (or device) information in the device management system 120, and the like, so as to update the asset (or device) information in the asset library of the device management system 120 in time.

In one embodiment, the integrated security posture awareness system 118 may collect traffic and/or data from the field control system 102 and/or the field operator station 104 from the access switch 106 on-site via the unidirectional collection gateway 108. For example, the unidirectional acquisition gateway 108 may include a computing module (not shown) for preprocessing the acquired traffic and/or data for transmission to the integrated security posture awareness system 118 of the centralized monitoring center 110.

The integrated security situation awareness system 118 may be used to perform situation awareness-based industrial control security event analysis, and perform security event warning and other processing on security events discovered by analysis by using the event processing gateway 116. For example, the integrated security posture awareness system 118 may obtain device information and/or security event information for the new materials control system during the analysis process to send to the event processing gateway 116. The event processing gateway 116 may retrieve administrator (e.g., administrator and/or operator) information for the device from the device management system 120 based on the device information, to send security events directly to the administrator for processing via the work order management system 130, and/or to send alerts to the administrator via the event notification system 140, for example.

The manager of the corresponding device may process the security event and return the processing result in the work order management system 130. If the event processing gateway 116 confirms that the event has been handled, a message is sent to the corresponding manager through the event notification system 140 to notify the event processing result.

In one embodiment, the event processing gateway 116 may have an interface to interface with one or more devices such as the device management system 120, the work order management system 130, and/or the event notification system 140, for example, a standard device query interface, and/or an interface to support custom interfacing with the device management system 120, an integrated work order process flow interface, and/or a message notification interface, among others. The integrated security situational awareness system 118 may automatically identify information about the Internet Protocol (IP) address, device name, device type, etc. of the device by collecting data from the field control network (e.g., from the field control system 102 and/or the field operator station 104). The integrated security situation awareness system 118 may send the device information and/or security event information to the event processing gateway 116 upon detecting a security event. Event processing gateway 116 may send a device information query request to device management system 120 based on the received information, such as the IP address, device name, and/or device type of the device. The event processing gateway 116 may obtain administrator information for the device from a device library of the device management system 120 and/or obtain information such as the IP address, device name, device type, etc. of the device from the device library. In one embodiment, the device management system 120 may be used to store administrator information for the device, and/or device information such as an IP address, a device name, and/or a device type.

The event processing gateway 116 may be configured to check the device information to compare whether the information obtained by the integrated security context awareness system 118, such as the IP address, the device name, and/or the device type, is consistent with the corresponding device information in the device library.

If there is a discrepancy between the device information corresponding to the security event and the information in the device management system 120, the event processing gateway 116 may send the discrepancy comparison result as an attachment, along with the security event information to the device's manager via the work order management system 130 for processing, and/or to alert via the event notification system 140. After the manager of the corresponding device processes the event, the manager may return the processing result through the work order management system 130. After confirming that the event has been handled, the event processing gateway 116 sends a message to the corresponding manager through the event notification system 140, that the event processing is completed, for example. If the manager of the corresponding device confirms that the device is updated, it may reply to the device management system 120 via the event processing gateway 116 through the work order management system 130 to update the device/information in the device library. In one embodiment, after the device information check, the manager may perform device validation and event processing and return the processing results to the integrated security posture awareness system 118 via the event processing gateway 116. For example, a manager may process an event while performing device validation, but the present invention is not limited thereto.

On the other hand, if the device information corresponding to the security event does not exist in the device management system 120, and may be a new device or an illegal access device, the event processing gateway 116 may send the security event directly to an administrator for processing through the work order management system 130 and/or may alert through the event notification system 140. For example, a manager may be provided with an option of whether a new device or a violating device is accessed, although the invention is not limited thereto. If the administrator confirms that the device is a new device, the new device and/or its information is automatically added to the device management system 120 based on the option. If not, the work order management system 130 may return to the integrated security posture awareness system 118 via the event processing gateway 116 an option for unauthorized new or offending device access as confirmed by the manager. The integrated security situational awareness system 118 may generate an offending device access security event. In one embodiment, the manager may process the event while the device is in the process of confirming, and then return the processing result to the event processing gateway 116 for forwarding to the integrated security situation awareness system 118 for detection and processing.

If the result is consistent after the event processing gateway 116 checks the device information, the event processing gateway 116 may send the security event directly to the administrator for processing through the work order management system 130 and/or may send the alarm information to the administrator for alarm through the event notification system 140. After the manager processes the event, the processing result may be returned to the integrated security situation awareness system 118 via the event processing gateway 116. The integrated security situation awareness system 118 may flag the processed event to confirm that the event has been processed.

In one embodiment, if the integrated security posture awareness system 118 detects that a security event of the same type as the event marked as having been processed occurs again, possibly without the manager actually processing the event, the integrated security posture awareness system 118 may further associate the original event, turn it on again, and send it to the manager for processing (e.g., via the work order management system 130 and/or the event notification system 140, as described above) via the event processing gateway 116.

In one embodiment, the integrated security posture awareness system 118 may monitor security by collecting traffic from the on-site access switch 106 through the unidirectional collection gateway 108. For example, if the field operator station 104 begins scanning for malware (although the invention is not limited to such security events), the integrated security situational awareness system 118 may upload device information, such as an IP address, operating system type and/or version information, and/or event type of the field operator station 104 upon detecting the scanning event using the unidirectional acquisition gateway 108. For example, the integrated security situational awareness system 118 may send the IP address, operating system type and/or version information of the field operator station 104 and/or the scan event type to the event processing gateway 116 upon detection of a security event based on the alarm rules.

The event processing gateway 116 may obtain information from the device management system 120 regarding the administrator (e.g., administrator and/or operator) information for the field operator station 104 based on the IP address, operating system type, and/or version information for the field operator station 104, and/or information stored in the device management system 120 regarding the IP address, operating system type, and/or version information.

If the event processing gateway 116 finds, by comparison, that the version information of the operating system detected by the integrated security posture awareness system 118 is newer than that of the device management system 120 (although the invention is not limited in this respect), the event processing gateway 116 may form the result of the operating system version difference as collateral information and/or send the security event and the version difference information to an administrator of the device (e.g., the field operator station 104) for processing via the work order management system 130.

The manager may select to update the os version in the job ticket result after performing malicious code cleaning on the field operator station 104 and confirming that the os version of the field operator station 104 is updated.

The work order management system 120 may return this work order processing result to the event processing gateway 116. Upon receiving the returned work order processing results, the event processing gateway 116 confirms that the event has been processed and may send an event processing result message to the corresponding manager of the device via the event notification system 140. Event processing gateway 116 closes the security event processing flow.

The event processing gateway 116 may also send an os version update request to the device management system 120 based on os version update instructions returned by the work order management system 130. In response to receiving the operating system version update instruction, the device management system 120 may update device information, such as operating system versions, in its device library.

If the processed security scan event is marked and monitored again by the integrated security situation awareness system 118, the integrated security situation awareness system 118 may associate the original event, open the security event processing flow again, and send the handling recommendation to the manager for processing through the event processing gateway 116 via the work order management system 130. The integrated security situation awareness system 118 may further notify a higher security manager and/or a direct system responsible person through the event notification system 140 according to the secondary event processing rule, so as to perform further analysis and processing, thereby ensuring that the security event is completely processed.

In one embodiment, the centralized control center 110 may include one or more centralized control engineer stations 112 and/or centralized control operator stations 114. The field control system 102 and/or the field operator station 104 may access the industrial network via the access switch 106 to communicate with one or more of the centralized control engineer station 112 and/or the centralized control operator station 114. The central control engineer station 112 and/or the central control operator station 114 may be used for centralized control of the field control system 102 and/or the field operator station 104, etc., although the invention is not limited thereto. In one embodiment, the access switch 106 may utilize, for example, a Scalance X type access switch, although the invention is not limited in this respect and in another embodiment, the access switch 106 may comprise other industrial ethernet switches or other access switches. In another embodiment, the field control system 102 may include a programmable controller or other control device, such as, for example, Siemens S7-400, although the invention is not limited thereto.

Although the centralized control center 110 shown in fig. 1 may include one or more discrete devices, in another embodiment, the one or more devices may be integrated. For example, the event processing gateway 116 may be system integrated with the security situational awareness system 118. In another embodiment, the device management system 120 may be integrated with the centralized control center 110 and/or the integrated security posture awareness system 118. In another embodiment, although FIG. 1 illustrates separate work order management system 130 and event notification system 140, in another embodiment, the work order management system 130 and event notification system 140 may be integrated.

In one embodiment, one or more devices in the system 100 may include a controller or the like having an electrical module, a control module, and/or a communication module, although the invention is not limited in this respect, and in another embodiment, the one or more devices may be implemented using a computer or other electronic device, or may include hardware, firmware, software, or various combinations thereof. In another embodiment, the event processing gateway 116 may include an interactive interface for interacting and/or communicating with one or more of the integrated security posture management system 118, the device management system 120, the work order management system 130, and/or the event notification system 140.

Referring to FIG. 1, in one embodiment, the system 100 may utilize a one-way collection gateway to collect data in a field control system, correlate asset information for an event after a security event is detected, check against information from an event handling gateway and a device management system, facilitate detecting changes to asset information in the device management system, and update asset information in an asset repository at the time.

In another embodiment, by inquiring the information of the equipment management personnel or responsible personnel of the equipment management system, the work order management system and the event notification system can notify the relevant personnel to process the event in time, so that the response time and the handling efficiency of the event are improved.

In another embodiment, the event processing gateway can be closely combined with the existing digital intelligent system of the industrial production enterprise by using a standard interactive interface to achieve timely and effective closed-loop processing of the security event, and meanwhile, the detection accuracy of the security situation sensing system and the accuracy of the asset information can be improved by combining with the digital intelligent manufacturing system.

Through in time informing administrator and operator, can also inform security administrator or management layer to the incident, carry out the safety consciousness education to enterprise's staff, promote the execution of falling to the ground of safety control system, constantly promote the safety control level of new material control system.

By the security situation perception and the security event handling in the system, the current situations of reanalysis and light handling of the existing situation perception system are solved, closed-loop security event management is realized through the security event handling gateway, the defect that the existing industrial control situation perception system cannot be well integrated with a digital intelligent manufacturing system is overcome, and the handling capacity of the security event is improved.

FIG. 2 shows a flow diagram of a method according to one embodiment of the invention. In one embodiment, the centralized processing center 110 (e.g., the event processing gateway 116) shown in fig. 1 may perform comprehensive situation management such as security event notification/alarm according to the process described in fig. 2. For example, the unidirectional acquisition gateway 108 acquires traffic from the field access switch, and sends the traffic to the integrated security situation awareness system 118 located in the centralized monitoring center 110 after being preprocessed by the unidirectional acquisition gateway computing module. After the comprehensive security situation awareness system 118 performs situation awareness-based industrial control security event analysis, the event processing gateway 116 is used to perform subsequent processing such as security event warning on the discovered security event.

As shown in fig. 2, at block 202, for example, event processing gateway 116 may receive device information and/or security event information. Referring to fig. 1 and 2, in one embodiment, the device information and/or security event information may be obtained by analyzing data of the field control system and/or the field operator station collected and/or pre-processed via the unidirectional acquisition gateway and/or device (asset) information (e.g., IP address, device name, and/or device type of the device, etc.) associated with the security event.

In response to receiving the device information and/or the security event information, flow proceeds to block 204 to query a device management system (e.g., 120). For example, a device information query request may be sent to a device management system (e.g., 120) based on the received device information. Information from the device management system, such as administrator (administrator and/or operator) information of the device, and/or IP address, device name, device type, and/or operating system type and version information of the device, is obtained by querying a device library of the device management system.

At block 206, the device information may be checked, for example, the device information corresponding to the security event may be compared to corresponding device information in a device library of the device management system. In one embodiment, the device information check may be performed by comparing the obtained IP address, device name, device type, and/or os type and version information, etc. (although the present invention is not limited thereto) with corresponding device information in the device.

At decision block 208, it may be determined whether the obtained device information is complete by the device information check result of block 206. For example, in one embodiment, a determination may be made as to whether the device information corresponding to the security event is consistent with corresponding device information in a device library. If it is determined at the decision block 208 that the obtained device information is complete, e.g., the device information corresponding to the security event is consistent with the corresponding device information in the device library, flow proceeds to block 212 to send an event processing request (e.g., the security event, device information, and/or disposal recommendation, etc.) to an operator of the corresponding device (e.g., via 130) and/or to perform an alert (e.g., via 140) to enable the operator to process the security event.

Conversely, if it is determined at decision block 208 that the obtained device information is incomplete, e.g., the device information corresponding to the security event differs from the corresponding device information in the device library or the device information corresponding to the security event does not exist in the device library, etc., then flow may proceed to block 210. At block 210, in response to determining that the obtained device information is incomplete, a device information exception prompt is presented.

In one embodiment, if the device information corresponding to the security event differs from the corresponding device information in the device library, the difference comparison is sent as an attachment to a manager of the corresponding device and/or an alarm is raised (block 212) along with an event handling request or the like for the operator to handle the security event. In another embodiment, if device information corresponding to a security event does not exist in the device library, which may be a new device or an offending access device, a security event processing request and/or device information/handling recommendation (e.g., for a security event of the same type as the processed event), etc. may be sent directly to an administrator of the corresponding device for processing and/or alerting (block 212).

At block 214, the results of the processing by the manager of the respective device may be fed back to, for example, the integrated security situational awareness system 118. For example, referring to fig. 1, for the case of complete device information, the event processing gateway 116 may feed back the processing result of the event processing performed by the administrator to the integrated security situational awareness system 118. The integrated security situation awareness system 118 may flag the processed event to confirm that the event has been processed. After confirming that the event has been handled, the event processing gateway 116 may also send a message to the corresponding manager through the event notification system 140 that the event has been handled, for example.

In another embodiment, in the case that there is a difference between the device information corresponding to the security event and the information in the device management system, after the corresponding administrator processes the event, the processing result may be returned, for example, in the work order processing system 130. If the administrator confirms that the device is updated, the administrator may reply to the device management system 120 via the event processing gateway 116 to cause the device management system 120 to update the device in the device library. After the device information is checked, the manager may process the event while the device is confirmed, and return the processing result to the integrated security situation awareness system 118 via the event processing gateway 116.

In yet another embodiment, for the case where the device information corresponding to the security event does not exist in the device management system, it may be a new device or an illegal access device, and the administrator of the corresponding event may confirm whether the new device or the illegal device is accessed. For example, for a new device, the event processing gateway 116 may feed this new device information back to the device management system 120 to cause the device management system 120 to automatically join the new device to the device management system. If not, the event processing gateway 116 may return the administrator's non-legitimate new device options received via the work order processing system 130 to the integrated security posture awareness system 118. In response to the feedback, the integrated security posture awareness system 118 may generate an offending device access security event. In one embodiment, the manager may process the event while the device confirms, and the event processing gateway 116 may forward the processing result returned by the manager to the integrated security situation awareness system 118 for detection and processing.

At block 216, the event processing gateway 116 may close the integrated security situation awareness system 118 to mark the event for which processing is confirmed. In another embodiment, the event processing gateway 116 may also send a message to the manager that the event processing is complete after confirming that the event processing is complete.

Fig. 3 shows an example of a method according to another embodiment of the invention. As shown in FIG. 3, in one embodiment, the method may be used in the centralized processing center 110 (e.g., event processing gateway 116) of FIG. 1 for comprehensive situation management and the like.

Referring to fig. 3, at decision block 302, it may be determined whether the device information is complete. For example, whether the obtained device information is complete may be determined by comparing the result of whether the device information corresponding to the security event agrees with the corresponding device information in the device library. If it is determined at decision block 302 that the obtained device information is complete, e.g., the device information corresponding to the security event is consistent with the corresponding device information in the device library of the device management system 120, flow proceeds to block 320 to issue an event processing request (e.g., the security event, device information, and/or handling recommendations, etc.) to an operator of the corresponding device and/or to alert the operator to process the security event. Then, at block 322, the processing results returned by the operator may be received and/or fed back to the integrated safe situational awareness system 118. At block 324, the integrated security posture awareness system 118 may be turned off to confirm the processed event (e.g., marked as processed) and/or notify the manager that event processing is complete after confirming that the event has been handled.

Conversely, if it is determined at decision block 208 that the obtained device information is incomplete, e.g., the device information corresponding to the security event differs from the corresponding device information in the device library, flow may proceed to block 304 to treat the difference comparison as an attachment. In block 306, the event processing request and the difference comparison result and/or handling suggestion and the like are sent to the manager of the corresponding device, and/or an alarm is given to perform device information exception prompt and the like. At block 308, the results of the processing by the manager may be received. If the manager confirms that the equipment is updated, the updating instruction of the manager can be received. At block 310, the results of the management's processing may be fed back to, for example, the integrated security situation awareness system 118 to enable the integrated security situation awareness system 118 to confirm (flag) that the event has been processed. At block 312, an update request may be sent to the device management system 120 for device information update based on an update instruction returned by the manager via the work order processing system 130, and/or the confirmation of the processed event may be turned off, and/or the result of the processed event may be sent to the manager, for example, via the event notification system 140.

On the other hand, if it is determined at decision block 302 that device information corresponding to the security event does not exist in the device library, etc., flow proceeds to block 314 to send an event processing request and/or device information and/or disposition advice, etc. for the security event to the manager of the corresponding device, and/or to alert for device information exception prompting, etc. And the manager can process the event while confirming the event by the equipment and return a processing result to the event processing gateway. For example, the administrator may confirm whether a new device or an offending device is accessed.

At block 318, the processing results returned by the administrator and/or the new device options or the offending device access options confirmed by the administrator may be fed back to the integrated security posture awareness system 118. For example, if the manager confirms that the device is a new device, flow 312 may be returned to cause the device management system 120 to update to join the new device, and/or to shut down security events and/or send notifications to the manager. On the other hand, if the device is a new device which is not legal and has access to the security system, the process 320 may be returned, for example, to send the event processing request, the device information and/or the handling recommendation, etc. of the illegal device access security event generated by the integrated security posture awareness system 118 to the manager, and/or perform an alarm, and/or receive the processing result, and/or process the result feedback to make the integrated security posture awareness system perform detection and processing, and/or close the processed security event and send a notification to the manager, according to the processes 320 to 326, etc.

Fig. 4 shows a flow diagram of a method according to yet another embodiment of the invention. As shown in FIG. 4, in one embodiment, the method may be used to enable the centralized control center 110 (e.g., the integrated security situational awareness system 118) shown in FIG. 1 to perform integrated situational management and the like.

Referring to fig. 4, at block 402, field traffic data collected and/or pre-processed via, for example, unidirectional collection gateway 108 may be received. At block 404, the field flow data may be analyzed to detect a safety event. At block 406, a determination may be made as to whether a security event exists based on the analysis of the field flow data. If a security event does not exist, flow returns to block 402 to continue receiving field flow data.

On the other hand, if it is determined at block 406 that a security event is detected, flow proceeds to decision block 408 to determine whether the security event is a security event of the same kind as the tagged processed event. For example, for homogeneous security events, the flow may proceed to block 410 to associate with the original event and turn on the security event processing flow again (e.g., blocks 412 through 420), and/or send disposition recommendations, etc., to the corresponding administrator for processing by the event processing gateway 116. In another embodiment, when a homogeneous security event is detected, a higher level security administrator and/or a direct system administrator may also be notified according to the event secondary processing rule, for example, through the event notification system 140, so as to perform further analysis and processing, so as to ensure that the security event is completely processed. Although the invention is not so limited and in another embodiment, the detection of homogeneous security events may not be performed and flow may proceed directly to block 412. In another embodiment, the higher level security administrator and/or the principal system responsible person may not be notified.

At block 412, device information and/or security event information and/or disposition recommendations, etc. may be sent such that event processing gateway 116 may send event processing requests and/or alert, etc. to the respective manager. At block 414, the processing results returned by the manager may be received, for example, via event processing gateway 116. At block 416, the processing results may be detected and/or processed. For example, at decision block 418, a determination may be made as to whether the event has been processed for completion or has access to an offending device based on the processing results. At block 420, if it is determined that the event has been processed, the processed event is flagged to confirm that the event has been processed. Flow may then return to block 402 to continue with security event detection.

On the other hand, if it is determined at decision block 418 that there is a violating device access, then a violating device access security event is generated at block 422 and flow returns to block 412 to process the security event as per blocks 412 through 420, etc., and the event is confirmed at block 420 to have been processed, returning to block 402 for security event detection.

Fig. 5 shows an example of a method according to a further embodiment of the invention. Referring to FIG. 5, in one embodiment, a work order processing system 130 such as that shown in FIG. 1 may perform work order processing, etc., in accordance with the described methods.

As shown in fig. 5, in one embodiment, at block 502, an event processing request, such as device information, security event information, handling recommendations (e.g., for security events that are homogeneous with the processed event), and/or device information differences, etc., may be received from, for example, the event processing gateway 116. At block 504, the received event processing request may be forwarded to a manager of the corresponding device for processing by the manager. At block 506, feedback processing results, and/or update instructions, and/or device confirmation information, etc. returned by the administrator may be sent, for example, to the event processing gateway 116 for forwarding to the integrated security posture awareness system 118 for detection and/or processing.

FIG. 6 illustrates one example of an example device 600 in accordance with one embodiment of the invention. In one embodiment, the device 600 may be used to implement one or more of the devices shown in FIG. 1, such as, for example, the integrated security posture awareness system 118, the event processing gateway 116, the device management system 120, the work order management system 130, and/or the event notification system 140, although the invention is not limited thereto. In another embodiment, one or more of the devices shown in FIG. 1 may be integrated or discrete. In one embodiment, the device 600 may include various architectures of one or more integrated circuit chips and/or packages and/or various computing and/or electronic devices, and the like. May include one or more processors 602 and one or more memories 604 coupled to the one or more processors 602. In one embodiment, the one or more memories 604 may include various storage devices such as random access memory, dynamic random access memory, or static random access memory. In one embodiment, the one or more memories 604 may be used to store one or more instructions (e.g., machine-readable instructions and/or computer programs) that may be read and/or executed by the one or more processors 602. The one or more instructions may also be stored on a non-volatile machine-readable storage medium. In response to being executed, the one or more instructions cause the one or more processors 602 to implement one or more modules as shown in fig. 1 and/or to perform one or more operations as described above with reference to fig. 1-5. In one embodiment, the apparatus 600 also has a communication module to communicate with one or more devices. In one embodiment, FIG. 6 illustrates only one example of a device 600 and is not intended to limit the present invention.

As described above, according to the embodiments of the present invention shown in fig. 1 to 6, since the integrated situation management and control system of the present invention collects data in the field control system using the unidirectional collection gateway, associates asset information of an event after detecting a security event, and performs a check using information of the event processing gateway and the equipment management system, it is helpful to detect a change of asset information in the equipment management system and update asset information in the asset library at the same time.

According to the embodiment of the invention, the information of the equipment management personnel or responsible personnel of the equipment management system is inquired, so that the work order management system and the event notification system can notify related personnel to process the event in time, and the response time and the handling efficiency of the event are improved.

According to the embodiment of the invention, the event processing gateway can be closely combined with the existing digital intelligent system of an industrial production enterprise by using the standard interactive interface, so that timely and effective closed-loop processing of the security event is achieved, and meanwhile, the detection accuracy of the security situation perception system and the accuracy of the asset information can be improved by combining with the digital intelligent manufacturing system.

Through in time informing administrator and operator, can also inform security administrator or management layer to the incident, carry out the safety consciousness education to enterprise's staff, promote the execution of falling to the ground of safety control system, constantly promote the safety control level of new material control system.

The situation of reanalysis and light processing of the existing situation perception system is solved through the perception of the security situation and the processing of the security events in the new material control system, the closed-loop security event management is realized through the security event processing gateway, the defect that the existing industrial control situation perception system cannot be well integrated with a digital intelligent manufacturing system is overcome, and the processing capacity of the security events is improved.

The above description is only an example of the present invention and is not intended to limit the present invention. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.