CN119051977B

CN119051977B - Safety arrangement, control and automatic treatment method for multiple equipment types

Info

Publication number: CN119051977B
Application number: CN202411496503.2A
Authority: CN
Inventors: 顾欢欢; 李千目
Original assignee: NANJING SINOVATIO TECHNOLOGY CO LTD; Nanjing University of Science and Technology
Current assignee: NANJING SINOVATIO TECHNOLOGY CO LTD; Nanjing University of Science and Technology; Tarim University
Priority date: 2024-10-25
Filing date: 2024-10-25
Publication date: 2025-03-07
Anticipated expiration: 2044-10-25
Also published as: CN119051977A

Abstract

The present invention proposes a security orchestration, control and automated disposal method for various types of equipment, which belongs to the industrial Internet environment and includes the following steps: obtaining equipment information; based on this information, classifying and identifying the equipment, and establishing an equipment asset list; building a security orchestration platform that integrates multiple security tools and control measures; formulating corresponding security policies and control rules on the platform for different types of equipment to form a policy library; using the security orchestration platform, deploying and configuring corresponding security monitoring modules for each type of equipment according to the policy library, and monitoring the equipment operation status and network behavior in real time; when the monitoring module detects a potential security threat, the platform automatically matches the corresponding policy; based on the matching policy, the platform coordinates and triggers the automated disposal process, and orchestrates the execution of security disposal operations. Through this method, it is possible to achieve security management and automated disposal of various devices, and improve the security and response capabilities of the industrial Internet environment.

Description

Safety arrangement, control and automatic treatment method for multiple equipment types

Technical Field

The invention belongs to the technical field of industrial Internet, and relates to a safety arrangement, control and automatic treatment method for various equipment types.

Background

In the prior art, device security management in an industrial internet environment is mainly dependent on various independent security tools and measures. These tools include firewalls, intrusion detection systems, antivirus software, and manually performed security updates and patch management. These independent tools typically require separate configuration and management, lack a unified security orchestration platform, and result in increased complexity of security management. Meanwhile, most of the existing security policies and management rules are static configuration, and are difficult to dynamically adjust according to the changes of the equipment types and the running environments.

Furthermore, the prior art has some major problems. First, various security tools and measures are independent of each other, and lack of a unified integrated platform results in low security management efficiency. Secondly, manual configuration and management of security measures is not only time consuming and laborious, but also prone to error, increasing potential security risks. In addition, static security policies and management rules cannot cope with dynamically changing security threats, and real-time monitoring and automatic handling of equipment operation states and network behaviors are difficult to achieve.

Disclosure of Invention

Aiming at the problems, the application provides a safety arrangement, control and automatic treatment method for various equipment types, which can realize the safety management and automatic treatment of various equipment and improve the safety and the coping capacity of an industrial Internet environment.

The application provides a safety arrangement, control and automatic treatment method for various equipment types, which comprises the following steps:

Acquiring equipment information in an industrial Internet environment, wherein the equipment information comprises equipment type, an operating system and a firmware version;

classifying and identifying the equipment based on the acquired equipment information, and establishing an equipment asset list;

constructing a security arrangement platform, wherein the security arrangement platform integrates a plurality of security tools and control measures;

Aiming at different types of equipment in the equipment asset list, corresponding security policies and management and control rules are formulated in a security arrangement platform to form a policy library;

The security arrangement platform is utilized to deploy and configure a corresponding security monitoring module for each type of equipment according to the policy library, so as to realize the real-time monitoring of the running state and network behavior of the equipment;

Based on the matched policies, the security orchestration platform coordinates and triggers the automated treatment process, orchestrating the execution of the following security treatment operations:

implementing isolation measures corresponding to specific devices in the device asset list;

pushing the matched firmware update according to the equipment information;

and automatically adjusting the security configuration according to the type of the equipment.

Still further, the acquiring device information in the industrial internet environment includes:

deploying a network scanning probe in an industrial internet environment, and discovering devices in a network by using the network scanning probe;

determining the communication protocol type of the equipment by utilizing a protocol identification technology;

based on the protocol type, executing a corresponding information acquisition instruction to acquire equipment information;

and establishing a device information database, and storing and updating the acquired device information.

Still further, the classifying and identifying the devices based on the obtained device information, and establishing a device asset list includes:

performing preliminary classification according to the equipment type;

Further performing subdivision classification based on the operating system version, the firmware version and the preliminary classification result;

assigning a unique identifier to each device;

recording the physical position and the network topology position of the equipment;

a detailed device information profile is generated and maintained for each device, including a device type, an operating system version, a firmware version, a physical location, a network location, and a unique identifier.

Still further, the constructing a security orchestration platform includes:

integrating a plurality of safety tools and control measures;

Providing a unified management interface for configuring, monitoring and managing various security tools and control measures by a user;

Configuring an automated task scheduler for automatically performing security check, update and response tasks according to predefined policies and rules;

the integrated log management and analysis module is used for intensively collecting and storing log data from each safety tool and equipment and supporting the analysis of real-time and historical data;

An alarm and notification system is provided to automatically generate an alarm and notify relevant personnel when abnormal behavior or security threat is detected.

Still further, the safety tool and control measures include:

The intrusion detection system and the intrusion defense system are used for monitoring and detecting abnormal behaviors and potential threats in network traffic in real time;

a firewall providing rule-based access control to protect networks and devices from unauthorized access;

Antivirus and antimalware tools for detecting and cleaning viruses and malware in devices;

Data encryption means for protecting sensitive data in transmission and storage;

the multi-factor authentication system is used for enhancing the identity verification security of the equipment and the user;

behavior analysis tools that identify and respond to abnormal device behavior and network activity using data analysis techniques.

Further, the step of formulating corresponding security policies and management rules on the security arrangement platform for different types of devices in the device asset list to form a policy library includes:

formulating an initial security policy according to the type of the equipment, wherein the initial security policy comprises access control, data transmission encryption and abnormal behavior detection;

based on the operating system and firmware version of the equipment, a targeted patch management and update strategy is formulated, so that the equipment is ensured to always run the latest safe version;

setting different security levels and emergency response measures according to roles and importance of equipment in a network;

security rules are defined for specific data sensitivity and device connectivity, including data transfer restrictions, encryption requirements, and access log records.

Further, the deploying and configuring a corresponding security monitoring module for each type of equipment by using the security arrangement platform according to the policy repository, to realize real-time monitoring of the running state of the equipment and the network behavior, includes:

installing a customized security monitoring module on each type of equipment, and adapting to the operating system and firmware version of the equipment;

The monitoring module is configured to collect equipment operation state data in real time, including CPU utilization, memory occupation, disk activity and network connection state, and to analyze equipment network behavior in real time, monitor inbound and outbound traffic, detect abnormal traffic patterns and suspicious network activity.

Furthermore, the method for utilizing the security arrangement platform to deploy and configure corresponding security monitoring modules for each type of equipment according to the policy library to realize real-time monitoring of the running state of the equipment and the network behavior further comprises the following steps:

The monitoring data transmitted from the equipment to the security arrangement platform is protected by using an encryption technology, so that the data is prevented from being tampered or stolen in the transmission process;

Summarizing the monitoring data to a security arrangement platform for centralized analysis, and carrying out real-time anomaly detection by utilizing a predefined security policy and a management and control rule;

and setting an alarm mechanism, immediately informing the security arrangement platform when the monitoring module detects abnormal behaviors or potential threats, and generating a detailed alarm report.

Still further, when the security monitoring module detects a potential security threat, the security orchestration platform automatically matches corresponding policies in the policy repository, including:

The importance index DI of a device that detects a potential security threat is calculated according to the following equation (1):

;

Wherein, Is a key functional factor of the device; data sensitivity for the device; For the equipment connectivity, w1, w2 and w3 are weight coefficients; And To adjust parameters;

threat severity TS is evaluated according to the following equation (2):

;

Wherein, Is the false alarm probability; the vulnerability is affected; is attack index strength; to adjust parameters;

the policy validity PE is calculated based on the history data according to the following formula (3):

;

Wherein, Is the firstSuccess rate of the secondary application strategy; And Respectively a time decay parameter and a stability adjustment parameter; the historical application times;

the policy matching score SMS is calculated according to the following formula (4):

;

Wherein, Is a weight coefficient and satisfiesAndTo adjust parameters;

And sorting strategies in the strategy library according to the strategy matching degree score SMS, selecting the strategy with the highest score as the matched strategy, and arranging and executing an automatic treatment flow.

Furthermore, the method for security arrangement, control and automation treatment for multiple device types further comprises:

The process of security disposal operation is recorded through the security orchestration platform, and a detailed security event report including device information, trigger reasons and taking measures is generated.

The technical scheme provided by the application has the beneficial effects that:

by acquiring the equipment information in the industrial Internet environment, including equipment types, operating systems and firmware versions, accurate classification and identification of equipment are realized, and a systematic equipment asset list is established.

The constructed security orchestration platform integrates various security tools and control measures, so that security management is more efficient and centralized.

Corresponding security policies and management rules are formulated on the platform aiming at different types of equipment, and a flexible and dynamic policy library is formed. The corresponding safety monitoring module is deployed and configured through the safety arrangement platform, so that the real-time monitoring of the running state and the network behavior of the equipment can be realized.

When the monitoring module detects potential security threats, the platform automatically matches corresponding strategies, coordinates and triggers an automatic treatment process, and performs operations such as isolation measures, firmware updating pushing and security configuration adjustment. The method remarkably improves the automation degree of equipment safety management, reduces manual intervention and errors, improves timeliness and effectiveness of handling safety threats, and integrally enhances the safety and reliability of an industrial Internet environment.

Drawings

Fig. 1 is a flowchart of a security orchestration, management and automation treatment method for multiple device types according to a first embodiment of the present application.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. The present application may be embodied in many other forms than those herein described, and those skilled in the art will readily appreciate that the present application may be similarly embodied without departing from the spirit or essential characteristics thereof, and therefore the present application is not limited to the specific embodiments disclosed below.

The method for security arrangement, control and automation treatment for multiple equipment types provided by the first embodiment of the present application has a flow as shown in fig. 1, and includes the following steps:

step S101, equipment information in an industrial Internet environment is acquired, wherein the equipment information comprises equipment types, an operating system and firmware versions.

The present step will now be described in detail:

First, the system requires a tool that can scan and identify all connected devices in the network. This tool may be dedicated network scanning software or a functional module integrated in the security orchestration platform. The scan tool communicates with each device via a network protocol (e.g., SNMP, ICMP, ARP, etc.) to collect basic device information. Network scanning typically includes the steps of first, a scanning tool will scan all IP addresses in the network, identifying which IP addresses are active. For each active IP address, the scan tool may attempt to communicate with the device via multiple network protocols to obtain detailed information about the device.

The information of the device type may be obtained by querying network interface information of the device or by a device Management Information Base (MIB). For example, the SNMP protocol allows a scan tool to query the MIB of a device, return information about the device type, etc. For devices that do not support SNMP, the scan tool may attempt to obtain device type information through a service interface such as HTTP, HTTPS, SSH of the device.

The acquisition of operating system information also relies on communication with the device. For devices supporting SNMP, operating system version information may be queried directly through the SNMP protocol. For devices that do not support SNMP, the scan tool can use service fingerprinting techniques to infer operating system type and version from the device's open services and returned network packet characteristics. For example, operating system fingerprinting may be performed using tools nmap or the like to infer the operating system on which the device is running and its version.

Firmware version information acquisition is more challenging. For some devices, the firmware version may be obtained by SNMP querying a specific OID (object identifier). For other devices, it may be necessary to obtain firmware version information through a management interface (e.g., web management interface, SSH interface, etc.) of the device. The scan tool may need to simulate logging onto these management interfaces, capture and parse the firmware version information returned by the device.

In the process of collecting device information, it is important to ensure the accuracy and integrity of data. Therefore, the system should be provided with a repeated verification function, and through multiple scans and cross-verification, the collected device information is ensured to be accurate. The information obtained from each scan should be stored in a central database for subsequent processing and analysis. The database should be designed in an efficient and scalable architecture to cope with the management needs of a large number of devices in an industrial internet environment.

In addition, to ensure security during the information gathering process, all communications with the devices should employ encryption protocols, such as HTTPS, SSH, etc., to prevent theft or tampering of the information during transmission. The system should also record the time and source of each information collection for traceability and auditing.

In summary, the implementation of step S101 includes the specific operations of scanning all IP addresses in the network using a network scanning tool, identifying active devices, communicating with devices through SNMP, HTTP, HTTPS, SSH protocols to obtain device type, operating system and firmware version information, deducing device operating system version using operating system fingerprint identification technology, obtaining firmware version information by simulating login device management interface, storing collected device information in a central database, and ensuring security of information transmission through encryption protocol.

More specifically, acquiring device information in an industrial internet environment includes:

First, a network scanning probe is deployed in an industrial internet environment. The probes may be dedicated hardware devices or may be software modules installed on existing network devices or servers. Network scanning probes should be deployed in critical locations that can cover the entire industrial internet network to ensure that all devices connected to the network can be discovered. In the deployment process, the network topology structure and the equipment distribution condition are considered, and the optimal deployment point is selected so as to realize comprehensive network coverage. Once the network scanning probe deployment is complete, the next step is to scan the network with these probes. The network scanning probe communicates with devices in the network by sending probe packets (e.g., ICMP, ARP, SNMP requests, etc.) to discover the presence of the devices. The probe will collect preliminary information about the device such as IP address, MAC address, etc. From this basic information, the network scanning probe can build a preliminary list of all devices in the network.

Next, a communication protocol type for each device is determined using protocol identification techniques. Protocol identification techniques identify the type of communication protocol used by a device by analyzing the characteristics of data packets returned by the device. For example, by analyzing SNMP packets of a device response, it can be determined whether the device supports the SNMP protocol, and by analyzing HTTP or HTTPS responses, it can be identified whether the device provides a Web service interface. Common protocol identification techniques include Deep Packet Inspection (DPI), protocol fingerprinting, port scanning, and the like. These techniques, when used in combination, can accurately identify the type of communication protocol used by the device.

After determining the communication protocol type of the device, corresponding information acquisition instructions are executed based on the protocol type to obtain more detailed device information. For example, for a device supporting the SNMP protocol, an SNMP GET request may be sent to obtain detailed information of the device, such as a device type, an operating system version, a firmware version, a device model, etc. For a device supporting HTTP/HTTPS, the Web management interface information of the device can be acquired by sending an HTTP GET request, and the device detailed information in the Web management interface information is analyzed. For equipment supporting Modbus, BACnet industrial protocols, corresponding protocol instructions can be sent to acquire the running state and configuration information of the equipment.

In order to ensure the safety and the integrity of information acquisition, all information acquisition instructions should be transmitted by encryption, so as to prevent information from being stolen or tampered in the transmission process. In addition, the security policy of the network and the equipment should be complied with in the information acquisition process, so that the interference to the normal operation of the equipment is avoided. The sending frequency and mode of the information acquisition instruction should be optimized according to the equipment type and the network condition, so that the real-time performance of the information is ensured, and network congestion or equipment overload is not caused.

The collected device information needs to be stored and managed. For this purpose, a device information database is created for storing and updating the acquired device information. The device information database should be designed as a structured database, such as a relational database or a NoSQL database, to support efficient data storage, query and update operations. The database structure should include basic information (e.g., IP address, MAC address), detailed information (e.g., device type, operating system version, firmware version) and status information (e.g., running status, last update time) of the device. The database should be provided with an automatic updating mechanism to ensure that the records in the database can be updated in time when the network scanning probe collects new equipment information.

Security of the database is also a key consideration. The device information database should be configured with access control policies that only authorized users and system modules can access and operate the database. The database should be backed up regularly to prevent data loss, and log record function is set to record all accesses and operations to the database, so as to facilitate audit and fault investigation.

Through the above detailed steps, the network scanning probe can be deployed in an industrial internet environment, the communication protocol type of the equipment is determined by utilizing the protocol identification technology, the corresponding information acquisition instruction is executed based on the protocol type, and the equipment information database is established to store and update the acquired equipment information. Thus, the device information in the industrial Internet environment can be comprehensively and accurately acquired and managed, and basic data support is provided for subsequent safety arrangement, management and control and automatic treatment.

Step S102, classifying and identifying the equipment based on the acquired equipment information, and establishing an equipment asset list.

The following is a detailed description of this step:

First, the device information acquired from step S101 is stored in a central database. This database needs to have a well structured design for subsequent sorting and retrieval operations. The device information should include the device type, operating system, firmware version, and any other relevant device characteristic data, such as the physical location and network topology location of the device.

Next, preliminary preprocessing of these device information is required. This step includes data cleansing and normalization to ensure consistency and accuracy of all device information. For example, information of operating system and firmware versions is converted to a uniform format, removing any duplicate or redundant data records. After the preprocessing is completed, the device information may be classified according to a predefined classification rule.

Device classification may be based on a variety of criteria including, but not limited to, device type, operating system version, and firmware version. For example, device types may be categorized as sensors, actuators, controllers, computing devices, and the like. The operating system version and firmware version may also further subdivide device classes such as different versions of Windows systems, different versions of Linux systems, and various proprietary firmware versions, among others.

To implement device classification, the system may use a classification algorithm or rule-based classification method. For example, a set of classification rules may be written that define how devices are classified according to device information. The rule may include a conditional expression of "if the device type is a sensor and the operating system is Linux, then classified as a Linux sensor device". These rules may be implemented in the system in the form of scripts or rule engines that automatically perform device classification.

Each device needs to be identified while being classified. Each device should be assigned a Unique Identifier (UID), such as the device's MAC address, serial number, or system-generated unique ID. This unique identifier will be used to track and manage the status and changes of the device throughout the life cycle.

After classification and identification is complete, the information needs to be organized into a list of equipment assets. The device asset inventory should be stored in the form of a database table, with each record corresponding to a device containing all of the device's classification information and unique identifiers. The device asset inventory should also support quick retrieval and querying for subsequent security policy formulation and monitoring.

To further enhance the utility of the device asset inventory, additional metadata may be added, such as the physical location of the device, network topology location, owner information, and maintenance records. These metadata help to manage and maintain the device more efficiently in actual operation.

Finally, the device asset inventory should have the ability to be dynamically updated and maintained. The equipment asset inventory needs to be updated in time as new equipment is added, old equipment is removed and the status of existing equipment changes. Periodic scanning and updating mechanisms may be provided or the device asset inventory may be updated instantaneously by an event triggering mechanism as device information changes.

In summary, the implementation of step S102 includes preprocessing, classifying and identifying the device information obtained from step S101, and creating a structured, retrievable inventory of device assets while ensuring that the inventory has the ability to be dynamically updated and maintained.

More specifically, the classifying and identifying the devices based on the obtained device information, and establishing a device asset list includes:

First, using the device information acquired in step S101, preliminary classification is performed according to the device type. These device types include, but are not limited to, sensors, actuators, controllers, gateways, computers, and network devices. The preliminary classification may be based on basic attributes of the device, such as manufacturer information, device functionality, and device usage. With this preliminary classification, the devices can be grouped roughly, simplifying the subsequent subdivision classification process.

After the preliminary classification is completed, the classification needs to be further subdivided based on the operating system version, the firmware version, and the result of the preliminary classification. This step performs finer classification based on the operating system version and firmware version of the device. First, each device's operating system version, such as the different versions Windows, linux, real-time operating system (RTOS), etc., is analyzed. The device is then subdivided in combination with firmware version information of the device. For example, the same type of device may run different versions of firmware that may affect the security and functional characteristics of the device. Thus, the subdivision classification will further divide the devices into smaller groups based on operating system and firmware versions for more precise management and control.

After classification is completed, each device needs to be assigned a Unique Identifier (UID). The unique identifier may be a MAC address of the device, a serial number, or a system generated unique ID. This identifier is used to uniquely identify each device in the system, ensuring that each device can be accurately identified and tracked during the management and monitoring process. The generation and allocation process of unique identifiers needs to ensure their global uniqueness, avoiding collisions and duplication.

At the same time, the physical location and network topology location of each device is recorded. The physical location refers to an installation location of the device in an actual physical space, such as a specific location of a production plant, floors, rooms, and the like. Network topology location refers to the location of a device in a network structure, such as connected switch ports, subnet information, and neighboring devices. The information of the physical location and the network topology location is helpful for rapidly positioning equipment when problems occur, and performing fault detection and maintenance.

Generating and maintaining a detailed device information profile for each device is an important task for the next step. The device information profile should include the device type, operating system version, firmware version, physical location, network location, and unique identifier. The primary classification result of the device type record device, the software environment of the operating system version and the firmware version record device, the physical location and the network location record device installation and network connection condition, and the unique identifier is used for uniquely identifying the device. The device information archive should be stored in a structured manner in the device information database to ensure the integrity and retrievability of the information.

In order to maintain the accuracy and timeliness of the device information, the device information archive needs to be updated and maintained periodically. When the operating system version, firmware version or physical location of the device changes, the system should automatically or manually update the corresponding information file. In addition, the equipment information is checked regularly, so that the data in the equipment information file is consistent with the actual equipment state.

Step S103, a security arrangement platform is constructed, and the security arrangement platform integrates various security tools and control measures.

Constructing a security orchestration platform is a key step to ensure that the entire system can operate efficiently. To achieve this objective, a series of detailed and well-defined operations are required to ensure that the platform is able to integrate a variety of security tools and control measures and to provide a unified management and control interface.

First, the selection of appropriate hardware and software infrastructure is required to support efficient operation of the security orchestration platform. The hardware infrastructure should include high performance servers, network devices, and storage systems to ensure that the platform is able to handle a large amount of device information and security events. The software infrastructure then needs to select the appropriate operating system, database management system, and middleware to ensure the reliability, scalability, and security of the platform.

After the hardware and software infrastructure is ready, installation and configuration of the platform is required. First, an operating system and necessary underlying software, such as a database management system and middleware, are installed. Next, core software of the security orchestration platform is installed and configured, including security management consoles, policy management modules, monitoring and analysis modules, and the like. The software modules should be able to work in concert with each other to provide comprehensive security management functionality.

Integrating a variety of security tools and control measures is a core step in building a security orchestration platform. First, various security tools such as Intrusion Detection Systems (IDS), intrusion Prevention Systems (IPS), firewalls, antivirus software, and data encryption tools need to be selected and installed. Each security tool has its own unique functional and configuration requirements and therefore needs to be installed and configured according to specific needs. For example, firewalls need to be configured with access control rules, intrusion detection systems need to be configured with monitoring rules and alarm policies, and antivirus software needs to update virus libraries periodically.

In installing and configuring security tools, it is desirable to ensure that these tools can be seamlessly integrated with the security orchestration platform. This may enable communication and data exchange between different security tools by using standard interfaces and protocols, such as RESTful APIs, SNMP, and Syslog. For example, the firewall and intrusion detection system may be configured to send the monitoring data to the security orchestration platform for centralized analysis and processing via SNMP protocol.

The construction of the security orchestration platform also requires the provision of a unified management and control interface so that the user can conveniently manage and control various security tools and control measures. This interface should include a security management console that provides centralized management functionality for all integrated security tools. The user may view device status, monitor security events, configure security policies and rules, and perform various security operations through the security management console. The security management console should have a good user interface design, provide an intuitive graphical interface and an easy-to-use operational flow.

To ensure efficient operation of the security orchestration platform, it is also necessary to configure and optimize the performance and security of the platform. This includes configuring load balancing and failover mechanisms to ensure that the platform remains stable under high load and failure conditions. There is also a need to configure access control and rights management for security orchestration platforms, ensuring that only authorized users can access and operate the functionality of the platform. Multi-factor authentication and Role Based Access Control (RBAC) security measures may be used to enhance platform security.

In addition, the construction of security orchestration platforms requires periodic maintenance and updates to ensure that the platform is able to cope with changing security threats and technological developments. The software version, patch and configuration of the platform are checked and updated regularly, ensuring that the platform is always in an optimal state. Meanwhile, security audit and evaluation are carried out regularly, and potential security holes and risks are identified and repaired.

Through the detailed and definite steps, a security arrangement platform integrating various security tools and control measures can be constructed, comprehensive security management and control functions are provided, and the security of equipment in an industrial Internet environment is ensured.

More specifically, the method for constructing the security orchestration platform comprises the following steps:

Integrating a variety of safety tools and control measures. Constructing a security orchestration platform first requires integrating a variety of security tools and control measures. This process begins with the selection of the appropriate platform infrastructure, including hardware and software environments. In hardware, it is necessary to configure high-performance servers and storage devices to handle large amounts of security data and to perform complex security analyses. In terms of software, the operating system and database management system should be able to support high concurrency and high reliability.

Once the infrastructure is ready, the integration of various types of security tools and control measures can begin. These tools include Intrusion Detection Systems (IDS), intrusion Prevention Systems (IPS), firewalls, antivirus software, data encryption tools, multi-factor authentication systems, and behavioral analysis tools. Each tool has specific installation and configuration requirements and needs to be configured in detail based on vendor provided documentation. Ensuring that these tools are compatible with other components of the platform and are capable of communicating via standard interfaces (e.g., API, SNMP, syslog, etc.).

To ensure efficient operation of the system, intrusion detection systems and intrusion prevention systems should monitor and detect abnormal behavior and potential threats in network traffic in real time. The firewall needs to protect the network and devices from unauthorized access according to predefined access control rules. Antivirus and antimalware tools are used to detect and remove viruses and malware in devices. The data encryption tool is responsible for protecting sensitive data in transmission and storage. The multi-factor authentication system enhances the authentication security of devices and users, ensuring that only authorized users can access the system. The behavior analysis tool uses data analysis techniques to identify and respond to abnormal device behaviors and network activities, and through analysis of device and network behavior patterns, potential threats are discovered and responded to in time.

The platform also needs to provide a unified management interface that allows users to configure, monitor and manage various security tools and control measures. This interface should be designed to be intuitive and easy to use, typically comprising a Web-based control panel, accessible to the user through a browser. The management interface needs to support various operations such as adding and deleting security policies, monitoring device status, viewing security events and logs, etc. In order to realize the functions, the interface back end needs to be integrated with the interfaces of all the safety tools, so that the real-time synchronization and the display of the data are ensured.

Configuring an automated task scheduler is another critical step. The scheduler is used to automatically perform security checking, updating and responding tasks according to predefined policies and rules. The task scheduler needs to be able to support timed tasks and event driven tasks. For example, periodic scanning tasks may be performed daily at night to scan the network throughout, and event driven tasks may be triggered immediately upon detection of a security threat. The scheduler needs to have high reliability and flexibility and can be adjusted according to actual requirements.

The integrated log management and analysis module is to centrally collect and store log data from various security tools and devices and to support analysis of real-time and historical data. The log management system needs to configure a log collector to aggregate log data generated by all security tools to a central repository. The storage of log data requires efficient compression and indexing techniques to support fast retrieval and analysis. The analysis module utilizes big data analysis technology to analyze log data in real time, identify potential security threats and abnormal behaviors, and generate detailed reports.

Setting up an alarm and notification system is also a crucial step. When abnormal behavior or security threats are detected, the system needs to be able to automatically generate alarms and notify the relevant personnel. The alarm system needs to be configured with flexible alarm rules, which can be customized according to threat type, severity and device type. The notification mode comprises an email, a short message, an instant message and the like, so that relevant personnel can be ensured to receive the alarm information in time and take corresponding measures. The alert information needs to include detailed threat descriptions, information of affected devices, and suggested treatment measures.

Through the detailed operation steps, a security arrangement platform integrating various security tools and control measures can be constructed, a unified management interface is provided, an automatic task scheduler is configured, a log management and analysis module is integrated, and an alarm and notification system is arranged, so that security arrangement, management and automatic treatment for various equipment types is realized.

Step S104, corresponding security policies and management rules are formulated in the security arrangement platform aiming at different types of devices in the device asset list to form a policy library so as to provide effective security management for the different types of devices in the device asset list. The following is a detailed description of this step:

First, based on classification information in the device asset inventory, security requirements and risk features for each device type need to be determined. This step includes analyzing the role of each device type in the network, its processed data sensitivity, and its faced potential threats. For example, sensor devices may be primarily at risk of data tampering, while controller devices may be at risk of more complex remote intrusion and manipulation. Through such analysis, a preliminary list of security requirements may be formulated for each device type.

Next, the corresponding security policies and management rules are initially formulated according to the security requirements of each device type. Security policies shall include access control policies, data protection policies, intrusion detection and defense policies, etc. The access control policy specifies which devices and users may access a particular device resource and under what conditions access is allowed. For example, a strict access control policy may be formulated for the controller device, allowing access only to multi-factor authenticated users. The data protection policy includes data encryption, data integrity verification, data backup, etc. to protect the data processed by the device from unauthorized access or tampering.

Intrusion detection and defense strategies should then include detection and defense measures against the various attack types that the device may be exposed to. For example, abnormal traffic detection rules may be formulated for the sensor devices to detect and block possible DDoS attacks, and operational behavior analysis rules may be formulated for the controller devices to identify and block abnormal control instructions. All of these policies and rules should be tailored and optimized according to the characteristics of the device type.

After the security policy and the management and control rule are formulated, the security policy and the management and control rule need to be programmed into a policy library of the security arrangement platform. The policy repository should have structured data storage and retrieval functions that can efficiently store and manage a large number of security policies and rules. Each policy and rule should contain detailed definitions and specifications including applicable device types, specific security measures, trigger conditions, and execution steps, etc. For example, one data encryption policy for a sensor device may include enabling the AES-256 encryption algorithm on the sensor device, all data transmitted must be encrypted, and periodically changing the encryption key.

To ensure the dynamics and flexibility of policy libraries, an update and maintenance mechanism for setting policies is also required. Security threats and equipment environments are constantly changing, and security policies and management rules also need to be adjusted and updated in time. The policies and rules in the policy repository may be periodically reviewed and evaluated to update and optimize based on the latest security information and device operating conditions. Meanwhile, the security arrangement platform has an automatic function of pushing and executing the policies, and when the policies in the policy library are updated, new policies can be automatically deployed on corresponding devices, and effective execution of the policies is ensured.

In addition, the policy repository should be provided with version control and audit functions to track and manage historical versions and change records of policies. This facilitates backtracking and analysis when problems occur, finding the root of the problem and taking corresponding action.

In the implementation process, the formulated security policy and management rules should be subjected to strict test and verification to ensure the validity and reliability thereof. The method can test the strategies and rules in a simulation environment, evaluate the performances of the strategies and rules under various attack scenes, and adjust and optimize the strategies and rules according to test results.

In summary, the implementation of step S104 includes determining the security requirement of each device type, formulating the corresponding security policy and management rule, compiling the policy library of the security arrangement platform, and setting the update and maintenance mechanism of the policy, while ensuring the validity and reliability of the policy.

More specifically, for different types of devices in the device asset list, corresponding security policies and management rules are formulated in the security arrangement platform to form a policy library, including:

first, an initial security policy is formulated based on the device type. The initial security policy should cover access control, data transmission encryption and abnormal behavior detection. The access control policy specifies which users or devices may access a particular resource and under what conditions access is allowed. To achieve this, role-based access control (RBAC) may be configured to assign corresponding access rights according to the roles of the user or device. The data transmission encryption policy ensures that data transmitted between devices is always encrypted to prevent unauthorized interception and tampering. Common encryption techniques include SSL/TLS encryption, IPsec encryption, and the like. The abnormal behavior detection strategy is to set rules and algorithms to monitor the behavior of the device, identify and respond to abnormal activities. For example, a machine learning algorithm may be used to analyze the historical behavior patterns of the device, detect and alert of behavior that deviates from the normal pattern.

Based on the operating system and firmware version of the device, a targeted patch management and update strategy is formulated, and ensuring that the device always runs the latest security version is the key of the next step. Different security vulnerabilities may exist for each device's operating system and firmware version, and thus specific patch management policies need to be formulated to ensure that the device always runs the latest security version. This includes periodically scanning the operating system and firmware versions of the device, identifying the devices that need to be updated, and automatically pushing the corresponding security patches and update packages. The platform should be configured with an update management module that can communicate with the device vendor's update server, download the latest patches and update packages, and push onto the device according to a predetermined update schedule. To reduce the impact of updates on device operation, an update window period may be set, with update operations performed when the device load is low.

Setting different security levels and emergency response measures according to the roles and importance of the devices in the network is another important aspect of ensuring network security. The role and importance of a device in a network determines the level of security protection and emergency response measures it needs. For example, core gateway devices and controller devices are often critical to the stability and security of the network, requiring setting of higher security levels and more stringent emergency response measures. These include periodic backup of configuration data, configuration of redundant devices and links, setting of more stringent access control and monitoring policies, and the like. In an emergency, the platform should be able to quickly switch to a standby device or link, ensuring continued operation of the network.

Defining security rules for a particular data sensitivity and device connectivity is an important component of the policy repository. Data sensitivity refers to the confidentiality and importance of data processed by a device, with data of different sensitivity requiring different protection measures. For devices that handle highly sensitive data, more stringent data transmission restrictions and encryption requirements should be set to ensure confidentiality and integrity of the data during transmission. The device connectivity refers to the connection degree of the device and other devices, and devices with high connectivity often face more security threats and need stronger security protection. For example, network isolation rules may be set that isolate high risk devices in a controlled network area, limiting their direct communication with other devices. Access log recording is another important security rule, and by recording access and operation logs of equipment, tracing and analysis can be performed after a security event occurs, so that a problem source can be found out and corresponding protective measures can be taken.

Through the detailed operation steps, corresponding security policies and management rules can be formulated on the security arrangement platform to form a comprehensive policy library. The policy library can provide customized security protection measures for different types of equipment in the equipment asset list, and ensures the overall security of the network and the equipment.

Step 105, a security arrangement platform is utilized to deploy and configure corresponding security monitoring modules for each type of equipment according to a policy library, so that the real-time monitoring of the running state and network behavior of the equipment is realized, and when the security monitoring modules detect potential security threats, the security arrangement platform automatically matches corresponding policies in the policy library. The following is a detailed description of this step:

First, the security orchestration platform needs to extract security monitoring requirements for each class of device from the policy repository. These monitoring requirements include device operating state parameters and network behavior indicators that need to be monitored, such as CPU utilization, memory usage, disk activity, network traffic, port access records, etc. The monitoring requirements for each type of device will vary from one type to another and from function to function, and therefore will need to be customized based on the device classification information in the device asset inventory.

Next, an appropriate security monitoring module is selected and deployed. These modules may be dedicated monitoring software or hardware devices responsible for collecting the operating state and network behavior data of the devices. When installing and configuring the monitoring module, it is necessary to ensure that it is compatible with the operating system and firmware version of the target device and does not negatively impact the proper operation of the device. Specific deployment procedures include installing a monitoring software agent on the device or configuring a monitoring hardware device in the network path. The monitoring software agent should be configured to run automatically at device start-up and periodically send monitoring data to the security orchestration platform.

After the monitoring module is installed and configured, a series of initialization and calibration operations are required. Firstly, the monitoring module should be connected and registered with the security orchestration platform, ensuring that the platform can identify and manage all the monitoring modules. The registration process may require the provision of a unique identifier of the device and authentication information to verify the legitimacy of the device. The monitoring module then needs to be configured to perform data collection and transmission as required in the policy repository. The configuration process comprises the steps of setting data acquisition frequency, data transmission protocol, encryption mode and the like. Data transmission should employ security protocols such as TLS or IPsec to ensure confidentiality and integrity of the data during transmission.

After configuration is completed, the monitoring module starts to collect the running state and network behavior data of the equipment in real time and transmits the data to the security arrangement platform. After the platform receives the data, the data is processed and analyzed in real time through a built-in analysis engine. The analysis engine utilizes preset security policies and rules to compare and evaluate the collected data, and identifies potential security threats and abnormal behaviors. For example, if the monitoring module detects a sudden large increase in CPU usage of the device, or an abnormal port access request in network traffic, the analysis engine will determine whether these actions constitute a potential threat according to rules in the policy repository.

When the security monitoring module detects a potential security threat, the security arrangement platform automatically matches the corresponding policies in the policy repository. The matching process includes selecting the most appropriate coping strategy based on threat type, device type and monitoring data. The platform will invoke a predefined policy matching algorithm, evaluate the priority and applicability of multiple alternative policies, and finally select the optimal policy for disposal. After the matching is completed, the platform generates a series of automated treatment instructions and triggers the subsequent automated treatment process.

In addition, the security orchestration platform should also provide real-time alerting and notification functions. When the monitoring module detects a serious security threat, the platform should immediately send an alert notification to the security manager and provide a detailed threat analysis report. The alert notification may be sent in a variety of ways, including email, text message, instant messaging tool, etc. The threat analysis report should contain detailed descriptions of the threat, affected equipment information, preliminary treatment recommendations, etc., to assist security administrators in taking necessary countermeasures in time.

Through the detailed operation steps, the security arrangement platform can realize real-time monitoring and automatic security management of various devices, and effectively improve the overall security in an industrial Internet environment.

More specifically, the method for implementing real-time monitoring of the running state and the network behavior of the equipment by using the security arrangement platform deploys and configures a corresponding security monitoring module for each type of equipment according to the policy library comprises the following steps:

First, a custom security monitoring module needs to be installed on each type of device. This process is used to determine the operating system and firmware version of each device, ensuring that the installed monitoring module is compatible with the device's existing software environment. For this reason, it is necessary to develop or select a monitoring module that adapts to various operating systems and firmware versions. These modules may be lightweight software agents installed on the device for collecting and transmitting monitoring data in real time. The installation process may be automated through a remote deployment tool, ensuring that the monitoring module is efficiently and accurately deployed on a large number of devices.

After installation, the monitoring modules must be configured to collect the operational status data of the device in real time. Such data includes, but is not limited to, CPU usage, memory usage, disk activity, and network connection status. The monitoring module needs to be configured to periodically collect such data and perform preliminary analysis and processing on the device. For example, it may be set to collect CPU usage and memory usage once per minute, and aggregate and filter data locally to reduce the amount of data transferred. For monitoring of network behavior, the module needs to analyze the inbound and outbound traffic of the device in real time, identify and record all network connections, detect abnormal traffic patterns and suspicious network activity. The abnormal traffic pattern may include bursty bulk data transfers, frequent connection request failures, unauthorized port access, and the like.

After the configuration is completed, the safety monitoring module starts to operate and collect data. In order to ensure the security of the monitored data, encryption technology must be used to protect the data transmitted from the device to the secure orchestration platform, ensuring that the data is not tampered with or stolen during the transmission process. Common encryption techniques include TLS (transport layer security protocol) and IPsec (internet protocol security protocol), which ensure that data is not tampered with or stolen during transmission. And the monitoring module encrypts the acquired data and transmits the encrypted data to the security arrangement platform through a secure network connection.

On the security orchestration platform, a mechanism for data aggregation analysis needs to be set. After the platform receives the encrypted data, decryption and verification are carried out first, so that the integrity and the authenticity of the data are ensured. The platform then stores the monitoring data in a centralized database for subsequent analysis and processing. The security arrangement platform should have efficient data processing capability, be able to rapidly analyze large amounts of real-time data, and utilize predefined security policies and management rules for real-time anomaly detection. The platform uses various data analysis techniques, such as statistical analysis, behavioral analysis, and machine learning algorithms, to detect abnormal patterns and potential threats in the device operating state and network behavior in real time.

To ensure timely response to abnormal behavior and potential threats, an alarm mechanism needs to be set. And when the monitoring module detects abnormal behaviors or potential threats, alarm information is immediately sent to the security arrangement platform. After receiving the alarm, the platform generates a detailed alarm report according to the predefined alarm rule and notifies relevant security personnel. The alert report should contain detailed descriptions of abnormal behavior, affected device information, preliminary risk assessment, and suggested countermeasures. The notification mode can comprise an email, a short message, an instant messaging tool and the like, so that security personnel can be ensured to receive alarm information in time and take corresponding measures.

Through the detailed operation steps, the security arrangement platform can be utilized to deploy and configure corresponding security monitoring modules for each type of equipment according to the policy library, monitor the running state and network behavior of the equipment in real time, ensure the security of data transmission and set an effective alarm mechanism. These steps ensure comprehensive and real-time security monitoring of devices in an industrial internet environment, facilitating timely discovery and response to various security threats.

Further, when the security monitoring module detects a potential security threat, the security arrangement platform automatically matches corresponding policies in the policy library, specifically including:

When a security monitoring module detects a potential security threat, it is first necessary to calculate a importance index (DI) for the device that detected the potential security threat. The importance index is a quantitative index that evaluates the importance of a device in the overall system and is used to determine the priority of the device during treatment. Equation (1) is used to calculate the importance index of the device:

;

in the formula, the meanings of various parameters and coefficients and the acquisition method thereof are as follows:

CF (critical function factor) represents the criticality of the function performed by the device in the system. The value may be determined by the functional description of the device and the role in the system. For example, a device controlling a critical manufacturing process may have a higher CF value. The method of acquiring CF may be expert evaluation or calculation based on historical data.

DR (data sensitivity): represents the sensitivity of the data processed by the device. The data sensitivity may be determined by the type of data processed by the device and the confidentiality level of the data. Devices that process sensitive information or personal data may have higher DR values. The acquisition method of DR may include data classification and classification procedures.

DC (device connectivity) means the connection density of a device with other devices, i.e. the importance of the device in the network topology. The high connectivity devices act as Guan Tong hubs in the network. The DC value may be calculated by a network topology analysis tool.

W1, w2, w3 (weighting coefficients) these coefficients are used to adjust the extent to which CF, DR and DC have an impact on the final importance index. The weight coefficients may be set by historical data analysis and expert evaluation.

A and b (adjustment parameters) which are used for adjusting the influence of nonlinear parts in the formula and ensuring the rationality and the effectiveness of the calculation result. Parameters a and b can be adjusted by optimization algorithms or experimental data.

After calculating the importance index (DI), the next step is to evaluate the severity of the Threat (TS), equation (2) is used to evaluate the severity of the threat:

;

FP (false positive probability) represents the false positive probability of threat detection. The value may be obtained by analyzing historical detection data and threat type statistics. The lower the FP value, the more trusted the threat.

VI (vulnerability impact) represents the potential impact of a vulnerability on devices and systems. The V1 value may be obtained by a vulnerability scoring system (e.g., CVSS) or expert evaluation.

Al (attack indicator intensity) is indicative of the intensity of the currently detected attack activity. The Al value can be obtained through real-time monitoring data analysis, such as abnormal flow, attack frequency and the like.

And c (adjusting parameters) for adjusting nonlinear parts of the vulnerability influence degree to ensure reasonable influence of VI. The value of c can be obtained by adjusting an optimization algorithm or experimental data.

Next, the validity (PE) of the policy is calculated based on the history data. Equation (3) is used to calculate policy effectiveness:

;

(first) The success rate of the secondary application strategy) represents the success rate of each strategy application, and can be obtained by recording the effect statistics after each strategy application.

AndTime weight and stability impact for adjusting historical success rate, ensuring that newer data has a greater impact on the calculation results. These parameters may be adjusted by optimization algorithms or experimental data.

(History application times) represents the policy history application times for calculation.

Finally, a policy matching score (SMS) is calculated. Equation (4) is used to calculate the policy matching score:

;

(weight coefficients) the coefficients are used for adjusting the influence degree of DI, TS and PE on the final strategy matching degree score, and the degree of influence of the DI, TS and PE on the final strategy matching degree score is satisfied . The weight coefficients may be set by historical data analysis and expert evaluation.

And (3) adjusting parameters, namely adjusting nonlinear influences of all parts in the formula to ensure reasonable calculation results. These parameters may be adjusted by optimization algorithms or experimental data.

Through the above detailed steps, the importance index (DI), threat Severity (TS), policy validity (PE) and policy matching degree score (SMS) of the device can be calculated, and the policies in the policy repository are ordered according to the policy matching degree score, and the policy with the highest score is selected as the matching policy, so that the automated treatment process is arranged and executed.

Step S106, based on the matched strategy, the security arrangement platform coordinates and triggers the automatic treatment flow, and arranges and executes a series of security treatment operations so as to ensure the security and stability of the system. The method specifically comprises the following steps:

The isolation measures are implemented for a particular device in the device asset inventory. When the security orchestration platform matches the policy appropriate for the current threat, the platform first generates specific automated handling instructions. These instructions include implementing quarantine measures for specific devices, pushing matching firmware updates, and automatically adjusting security configurations based on device type. The platform coordinates the execution of these instructions by a central control module, ensuring that the operations are performed sequentially and seamlessly.

Implementing the isolation measure is a critical step in the disposal process. The security orchestration platform first network isolates the compromised devices through network devices (e.g., switches and routers) or directly through firewall rules. The platform issues instructions to shut off the device from communicating with other network nodes to prevent threat spread. Specific operations may include modifying firewall rules to reject all inbound and outbound traffic from the device, or adjusting switch port settings to isolate the device to a controlled network area. These operations require real-time monitoring to ensure that the device has indeed been successfully isolated and readjusted if necessary.

After the device isolation is completed, the platform pushes the matched firmware update according to the device information. This step requires that the latest firmware versions of the various devices be prepared in advance and stored in a secure update server. The security orchestration platform communicates the update package to the compromised device over the secure communication channel. After receiving the update package, the device automatically updates according to the instructions of the platform. The update process includes downloading firmware, checking integrity, backing up the current configuration, installing the update, and restarting the device. The platform needs to monitor the entire update process, ensure that all steps are completed successfully, and take remedial action when the update fails, such as re-pushing the update or rolling back to the previous firmware version.

Automatic adjustment of the security configuration according to the device type is also a critical step. The platform will refer to the predefined configuration templates in the policy repository to automatically adjust the security settings of the device according to the specific type of device and the current security requirements. These settings may include Access Control Lists (ACLs), security policy groups, log record levels, encryption settings, etc. The platform sends configuration commands to the device via a secure management interface (such as SNMP, SSH, or proprietary API). After receiving the configuration command, the device will perform corresponding adjustment. The platform needs to monitor the execution of these adjustments in real time, ensure that all configuration changes are applied correctly, and verify and validate if necessary.

The whole treatment process needs a tight monitoring and feedback mechanism. The security orchestration platform should record the execution status and results of each step, generating detailed logs and reports. These logs and reports not only help track each detail in the treatment process, but also provide data support for subsequent auditing and analysis. If any abnormal situation occurs in the execution process, the platform should generate an alarm in time and inform relevant security personnel to take further manual intervention measures.

Through the detailed operation steps, the security arrangement platform can effectively coordinate and trigger an automatic treatment process, and execute isolation measures, firmware updating and security configuration adjustment aiming at specific equipment, so that the overall security in the industrial Internet environment is improved.

When the security orchestration platform detects a potential security threat and initiates an automated treatment procedure, the entire treatment operation first needs to be recorded in real time. This process begins with the security monitoring module detecting abnormal behavior, all related operations and events requiring detailed records. The recorded content includes trigger causes, specific descriptions of detected abnormal behavior, affected device information, current status of the device, specific actions taken, and the like.

The platform needs to have a logging system to achieve this. The logging system should have a high precision time stamping function to ensure that each operation step can accurately record the time sequence. All records should be stored in a central database for later analysis and auditing. The database needs to have high reliability and security to prevent data from being lost or tampered with.

After detecting the abnormal behavior, the security orchestration platform generates and executes a series of automated handling instructions according to the corresponding policies in the policy repository. These instructions include, but are not limited to, isolation measures for the affected devices, firmware updates, adjustment of security configurations, and the like. The generation and execution of each instruction needs to be recorded. The recorded content comprises specific content of the instruction, execution time, execution result and state change of the device in the execution process.

At the same time, the platform should be able to capture and record any manual intervention operations. For example, in an automated treatment procedure, if the security personnel find additional manual operations, such as adjusting security policies or directly intervening in device operations, are required, these manual operations also need to be recorded in detail. The manual intervention records should include the identity of the operator, the specific operating content, the operating time, the operating reason, etc.

After all handling operations are completed, the security orchestration platform needs to generate a detailed security event report. This report should cover the entire event process from the detection of abnormal behavior to the final completion of the treatment operation. The report content should include details of the affected device (e.g., device type, operating system version, firmware version, physical location, and network location), descriptions of detected abnormal behavior, trigger reasons, detailed descriptions of each action taken in the automated treatment flow, records of manual intervention operations, and a timeline of the entire treatment process.

To ensure the integrity and traceability of the report, the security event report should also include all references or attachments to the relevant log records. These log records provide detailed operational details and time sequence to facilitate post hoc analysis and auditing. Furthermore, the report should be generated in a structured format to facilitate quick retrieval and analysis when needed. Common formats include PDF documents, spreadsheets, or database entries.

After the report is generated, the related security manager and system manager should be automatically notified to ensure that they can know the processing condition of the security event in time and take necessary follow-up measures. The notification means may include e-mail, short message, instant message, etc. The security event report should be stored in a dedicated security event database and set appropriate access control rights to ensure that only authorized personnel can view and download the report.

A second embodiment of the present application provides an electronic apparatus including:

A processor;

And the memory is used for storing a program which, when being read and executed by the processor, executes the security arrangement, control and automation treatment method for multiple device types provided in the first embodiment of the application.

A third embodiment of the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the security orchestration, management and automation treatment method for multiple device types provided in the first embodiment of the present application.

While the application has been described in terms of preferred embodiments, it is not intended to be limiting, but rather, it will be apparent to those skilled in the art that various changes and modifications can be made herein without departing from the spirit and scope of the application as defined by the appended claims.

Claims

1. A security orchestration, control and automated handling method for various types of devices, characterized by including:

Obtain device information in an industrial Internet environment, the device information including: device type, operating system, and firmware version;

Based on the acquired equipment information, classify and identify the equipment and establish an equipment asset list;

Building a security orchestration platform that integrates multiple security tools and controls;

For different types of equipment in the equipment asset list, formulate corresponding security policies and control rules on the security orchestration platform to form a policy library;

Using the security orchestration platform, according to the policy library, deploy and configure the corresponding security monitoring module for each type of device to achieve real-time monitoring of the device operation status and network behavior; when the security monitoring module detects a potential security threat, the security orchestration platform automatically matches the corresponding policy in the policy library; including:

According to the following formula (1), the importance index DI of the device that detects potential security threats is calculated:

;

in, It is the key functional factor of the equipment; The data sensitivity of the device; is the device connectivity, w1, w2, w3 are weight coefficients; and To adjust the parameters;

According to the following formula (2), the threat severity TS is evaluated:

;

in, is the false alarm probability; is the vulnerability impact; is the attack indicator strength; To adjust the parameters;

According to the following formula (3), the strategy effectiveness PE is calculated based on historical data:

;

in, For the The success rate of the strategy applied; and are the time decay parameter and stability adjustment parameter respectively; is the number of historical applications;

According to the following formula (4), calculate the strategy matching score SMS:

;

in, is the weight coefficient and satisfies and To adjust the parameters;

SMS sorts the policies in the policy library according to the policy matching scores, selects the policy with the highest score as the matching policy, and orchestrates the execution of the automated disposal process;

Based on the matching policies, the security orchestration platform coordinates and triggers the automated disposal process, orchestrating the following security disposal operations:

Implement isolation measures for the equipment in the equipment asset list;

Push matching firmware updates based on device information;

Automatically adjust security configuration based on device type.

2. The method for security orchestration, control and automated disposal for multiple types of devices according to claim 1, characterized in that the acquisition of device information in the industrial Internet environment comprises:

Deploy network scanning probes in the industrial Internet environment and use them to discover devices in the network;

Use protocol identification technology to determine the communication protocol type of the device;

Based on the protocol type, execute the corresponding information collection instructions to obtain device information;

Establish a device information database to store and update the collected device information.

3. The method for security orchestration, control and automated disposal for multiple types of devices according to claim 1 is characterized in that the device is classified and identified based on the acquired device information, and a device asset list is established, including:

Conduct a preliminary classification based on device type;

Based on the operating system version, firmware version and the results of the preliminary classification, further subdivision and classification are performed;

Assigning a unique identifier to each device;

Record the physical location and network topology location of the device;

Generate and maintain a detailed device information profile for each device, including device type, operating system version, firmware version, physical location, network location, and unique identifier.

4. The method for security orchestration, control and automated handling for multiple types of devices according to claim 1, characterized in that the construction of a security orchestration platform comprises:

Integrate multiple security tools and controls;

Provides a unified management interface for users to configure, monitor and manage various security tools and control measures;

Configure an automated task scheduler to automatically perform security checks, updates, and response tasks based on predefined policies and rules;

Integrated log management and analysis modules to centrally collect and store log data from various security tools and devices, and support analysis of real-time and historical data;

Set up an alarm and notification system to automatically generate alarms and notify relevant personnel when abnormal behavior or security threats are detected.

5. The method for security orchestration, control and automated disposal for multiple types of devices according to claim 4, characterized in that the security tools and control measures include:

Intrusion detection systems and intrusion prevention systems, which monitor and detect abnormal behaviors and potential threats in network traffic in real time;

Firewalls, which provide rule-based access control to protect networks and devices from unauthorized access;

Anti-virus and anti-malware tools to detect and remove viruses and malware from your device;

Data encryption tools to protect sensitive data in transit and storage;

Multi-factor authentication system to enhance device and user authentication security;

Behavioral analytics tools that use data analysis techniques to identify and respond to abnormal device behavior and network activity.

6. The method for security orchestration, control and automated disposal for multiple types of devices according to claim 1 is characterized in that, for different types of devices in the device asset list, corresponding security policies and control rules are formulated on the security orchestration platform to form a policy library, including:

Formulate an initial security policy based on the device type, wherein the initial security policy includes access control, data transmission encryption, and abnormal behavior detection;

Develop targeted patch management and update strategies based on the device's operating system and firmware version to ensure that the device always runs the latest security version;

Set different security levels and emergency response measures based on the role and importance of the device in the network;

Define security rules for data sensitivity and device connectivity, including data transfer restrictions, encryption requirements, and access logging.

7. The method for security orchestration, control and automated disposal for multiple types of devices according to claim 1 is characterized in that the security orchestration platform is used to deploy and configure corresponding security monitoring modules for each type of device according to the policy library to achieve real-time monitoring of device operation status and network behavior, including:

Install a customized security monitoring module on each type of device, adapted to the device's operating system and firmware version;

Configure the monitoring module to collect real-time device operation status data, including CPU usage, memory usage, disk activity, and network connection status; and analyze the device's network behavior in real time, monitor inbound and outbound traffic, and detect abnormal traffic patterns and suspicious network activities.

8. The method for security orchestration, control and automated disposal for multiple types of devices according to claim 7 is characterized in that the security orchestration platform is used to deploy and configure corresponding security monitoring modules for each type of device according to the policy library to achieve real-time monitoring of device operation status and network behavior, and further includes:

Use encryption technology to protect monitoring data transmitted from devices to the security orchestration platform to ensure that the data is not tampered with or stolen during transmission;

Aggregate monitoring data to the security orchestration platform for centralized analysis, and use predefined security policies and control rules for real-time anomaly detection;

Set up an alarm mechanism. When the monitoring module detects abnormal behavior or potential threats, it will immediately notify the security orchestration platform and generate a detailed alarm report.

9. The method for security orchestration, control and automated handling for multiple types of devices according to claim 1, characterized in that it also includes:

The security orchestration platform records the process of security disposal operations and generates detailed security incident reports including device information, trigger reasons, and measures taken.