CN114021109A - System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry - Google Patents

System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry Download PDF

Info

Publication number
CN114021109A
CN114021109A CN202111293147.0A CN202111293147A CN114021109A CN 114021109 A CN114021109 A CN 114021109A CN 202111293147 A CN202111293147 A CN 202111293147A CN 114021109 A CN114021109 A CN 114021109A
Authority
CN
China
Prior art keywords
access
trust
workshop
identity authentication
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111293147.0A
Other languages
Chinese (zh)
Inventor
李民程
胥强
高进舟
张真恺
茅琰璘
张慧嫔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yunnan Ksec Design Research Institute Co ltd
Original Assignee
Yunnan Ksec Design Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yunnan Ksec Design Research Institute Co ltd filed Critical Yunnan Ksec Design Research Institute Co ltd
Priority to CN202111293147.0A priority Critical patent/CN114021109A/en
Publication of CN114021109A publication Critical patent/CN114021109A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • G06Q10/06393Score-carding, benchmarking or key performance indicator [KPI] analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/04Manufacturing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Human Resources & Organizations (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Economics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Strategic Management (AREA)
  • Bioethics (AREA)
  • Development Economics (AREA)
  • General Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Marketing (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Educational Administration (AREA)
  • Algebra (AREA)
  • Probability & Statistics with Applications (AREA)
  • Computational Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • Game Theory and Decision Science (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Optimization (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computing Systems (AREA)
  • Manufacturing & Machinery (AREA)
  • Primary Health Care (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a system for realizing the identity authentication and the access management of a workshop-level industrial control system in the tobacco industry, which comprises a monitoring module, a trust evaluation module, a dynamic access control module and a network control module, wherein the monitoring module is used for monitoring the identity authentication and the access management of the workshop-level industrial control system in the tobacco industry; the monitoring module continuously monitors and collects the identity, the access environment, the access content and the access behavior data of the visitor in the modes of environment perception, multi-factor authentication, security audit and flow monitoring; the trust evaluation module is used for receiving the data collected by the monitoring module, processing and performing trust scoring; the dynamic access control module is used for generating a related access strategy according to the trust score; and the network control module is used for forwarding the flow according to the access strategy and controlling the flow. The invention solves the problems of identity authentication and access management of the workshop industrial control system, realizes a fine-grained dynamic access control mechanism based on identity and enhances the safety of the industrial control system.

Description

System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry
Technical Field
The invention relates to the field of industrial control system safety in the tobacco industry, in particular to a system and a method for realizing the identity authentication and access management of a workshop-level industrial control system in the tobacco industry.
Background
With the rapid evolution of new generation information technology, network security threats and risks are emerging continuously, and a solution based on a traditional boundary security model is difficult to deal with.
Through the analysis of the inspection results of the national bureau for the tobacco industry in recent years, the identity authentication management of the industrial control system has important deficiency and does not meet the related safety requirements of the country and the industry. In order for the tobacco industry to support digital business, the industry control system needs to open business and data, and the large and complex access requirements result in the physical boundary having lost the attributes of the existing security boundary to some extent. Under the borderless trend, the security risk is mainly generated from identity, authority and business. The existing security mechanisms are all constructed based on a boundary security system, and lack of targeted and fine-grained control measures on the aspects of identity, authority and business exposure, so that the threats are difficult to deal with, and the security architecture needs to be upgraded urgently.
In the use process of the tobacco industrial control system, identity safety problems such as weak passwords, account number sharing, too long password alternation period and the like exist, and once the safety risks occur, the production risks such as operation audit, responsibility boundary and the like in the business production process can be greatly influenced. As shown in fig. 1, the existing plant identity authentication and access management scheme: the 'visitor' directly accesses the application (WINCC, PMS and the like) database through identity authentication and authority distribution, and as long as the 'visitor' obtains an access identity, the application database can be accessed through the identity without continuously verifying the identity in the access, so that when other people obtain the access identity information, the database can be logged in and accessed, and safety risk exists.
Therefore, the safety problem of identity authentication and access management of an industrial control system in the tobacco industry needs to be deeply researched, and an identity authentication and access management solution which is tightly combined with an industrial control scene is realized.
Disclosure of Invention
The invention aims to: aiming at the existing problems, the system and the method for realizing the identity authentication and access management of the workshop-level industrial control system in the tobacco industry are provided, a zero trust architecture is adopted, the existing safe resources and informationized resources of a workshop are integrated, a network is used as a part of the environment, the personnel, application, equipment and the like in the workshop are comprehensively identified, the trust scores are obtained from the trust evaluation module based on different types of identities and access environments, the access is controlled according to the trust scores, and the safety of the workshop industrial control system in the tobacco industry is effectively enhanced.
The technical scheme adopted by the invention is as follows:
the invention relates to a system for realizing the identity authentication and the access management of a workshop-level industrial control system in the tobacco industry, which comprises a monitoring module, a trust evaluation module, a dynamic access control module and a network control module, wherein the monitoring module, the trust evaluation module, the dynamic access control module and the network control module are arranged between an accessor and an application database;
the monitoring module continuously monitors and collects the identity, the access environment, the access content and the access behavior data of the visitor in the modes of environment perception, multi-factor authentication, security audit and flow monitoring;
the trust evaluation module is used for receiving the data collected by the monitoring module, processing the data, scoring trust and sending the score to the dynamic access control module;
the dynamic access control module is used for generating a related access strategy according to the trust score and acting on the network control module;
and the network control module is used for forwarding the flow according to the access strategy and controlling the flow.
The system solves the problems that the traditional safety protection mechanism based on the physical boundary loses the attribute of the existing safety boundary to some extent due to the large and complex access requirements of the industrial control system in the tobacco industry, and the boundary protection is invalid.
Preferably, the monitoring module comprises an environment sensing system, a multi-factor authentication system, a security audit system and a flow monitoring system; the environment perception system is used for checking the access environment of the visitor; the multi-factor authentication system is used for authenticating the identity of the user; the security audit system is used for carrying out security audit on the database and the accessed resources and auditing the access behavior of the user; the flow monitoring system is used for detecting all the flows in the system.
Preferably, traffic transmission in the system is encrypted.
The invention discloses a method for realizing the identity authentication and access management of a workshop-level industrial control system in the tobacco industry, which comprises the following steps:
the method comprises the following steps: comprehensively identifying personnel, applications and equipment in a workshop and establishing initial trust;
step two: acquiring and monitoring the identity, the access environment, the access content and the access behavior data of an 'visitor' in a mode of environment perception, multi-factor authentication, security audit and flow monitoring;
step three: processing the collected data and scoring trust;
step four: setting an access strategy and authority according to the trust score;
step five: and controlling the flow according to the access policy.
Preferably, data collection and evaluation are continuously carried out on the visitor through the modes of environment perception, multi-factor authentication, security audit and flow monitoring, so that the flow is controlled.
Preferably, in the fourth step, the access policy and the right are manually set.
Preferably, in the first step, the method for comprehensively identifying the personnel, the applications and the equipment in the workshop comprises the following steps: and establishing a uniform identity authentication mechanism, and distributing corresponding identity codes to personnel, applications and equipment.
Preferably, the third step specifically comprises:
s1: receiving user identity authentication data and behavior monitoring data which are obtained from environment perception, multi-factor authentication, security audit and flow monitoring of an access terminal;
s2: carrying out data cleaning on the received data, and keeping the IP address, the certificate and the key information of the user fingerprint as the next calculation input;
s3: calculating a system threat probability P by using a Bayesian network;
s4: and setting the evaluation score cardinality J to be 0 to 100 points, and multiplying the system threat probability P by the evaluation score cardinality J to obtain an evaluation score F, J and P.
Preferably, when the user accesses the memory for the first time, the behavior monitoring data is not generated and is set to the initial value.
Preferably, the fourth step specifically includes:
s10: receiving a trust score;
s20: setting threshold values Wr, Ww, Wx … (Wr < Ww < Wx …);
s30: comparing the trust score with Wx; if the trust score > Wx, then the permissions to access the content are all granted to "visitor"; otherwise, comparing the trust score with the Ww; if the trust score > Ww, then the partial right to access the content is given to "visitor"; otherwise, comparing the trust score with Wr; if the trust score > Wr, then the partial right to access the content is given to the 'visitor'; otherwise, triggering a termination access condition and producing a termination access strategy;
s40: and carrying out access strategy configuration according to the trust score and the distributed authority, and sending the strategy to a network control module.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. the invention solves the problems of invalid boundary protection and safety risk in access in the existing workshop identity authentication and access management scheme, designs a system and a method for solving identity authentication and access management of a workshop industrial control system, and effectively enhances the safety of the workshop industrial control system in the tobacco industry.
2. The invention combines the zero trust technology, transfers the safety measures from the network to specific personnel, equipment and service assets, and superposes the logic boundary based on the identity on the network boundary, thereby realizing the dynamic access control mechanism based on the identity and with fine granularity, and increasing the safety of the industrial control system.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
fig. 1 is a schematic diagram of a conventional plant identity authentication and access management scheme.
Fig. 2 is a schematic structural diagram of a system for implementing identity authentication and access management of a workshop-level industrial control system in the tobacco industry.
FIG. 3 is a data processing flow diagram of a monitoring module, a trust evaluation module, and a dynamic access control module in an embodiment.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification (including any accompanying claims, abstract) may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
As shown in fig. 2, the invention discloses a system for implementing identity authentication and access management of a workshop-level industrial control system in the tobacco industry, which comprises a monitoring module, a trust evaluation module, a dynamic access control module and a network control module, wherein the monitoring module, the trust evaluation module, the dynamic access control module and the network control module are arranged between an accessor and an application database;
the monitoring module continuously monitors and collects the identity, the access environment, the access content and the access behavior data of the visitor in the modes of environment perception, multi-factor authentication, security audit and flow monitoring;
the trust evaluation module is used for receiving the data collected by the monitoring module, processing the data, scoring trust and sending the score to the dynamic access control module;
the dynamic access control module is used for generating a related access strategy according to the trust score and acting on the network control module;
and the network control module is used for forwarding the flow according to the access strategy and controlling the flow.
In the system for realizing the identity authentication and access management of the workshop-level industrial control system in the tobacco industry, the monitoring module comprises an environment sensing system, a multi-factor authentication system, a safety audit system and a flow monitoring system; the environment perception system is used for checking the access environment of the visitor; the multi-factor authentication system is used for authenticating the identity of the user; the security audit system is used for carrying out security audit on the database and the accessed resources and auditing the access behavior of the user; the flow monitoring system is used for detecting all the flows in the system. The traffic transmission in the system is encrypted by means of link encryption, key facilities and the like, and preferably by RS 256.
The specific process of the system operation for realizing the identity authentication and the access management of the workshop-level industrial control system in the tobacco industry comprises the following steps:
the first step is as follows: determining the existing safe resources and information resources of a workshop, and determining subsystems accessed to the system; confirming initial trust of devices, applications and personnel;
the second step is that: the personnel, the application, the equipment and the like in the workshop are comprehensively identified; establishing a uniform identity authentication mechanism, distributing corresponding identity codes to personnel, applications and equipment, and establishing initial trust;
the third step: the trust evaluation module is accessed into an environment perception system to check the access environment of an 'accessor'; the access flow detection system detects all the flows in the system; accessing a security audit system, performing security audit on the database and accessed resources, auditing the access behavior of a user, and accessing all audit information to a trust evaluation module to perform trust scoring on a current 'visitor';
the fourth step: the trust evaluation module transmits the scores to the dynamic access control module, and the dynamic access control module can manually set access strategies and authorities and can also dynamically set the access strategies and authorities according to the scores; after the setting is finished, transmitting the control command to a network control module for flow control;
the fifth step: the system for environment perception, multi-factor authentication, safety audit, flow monitoring and the like continuously evaluates the visitor and controls the visitor in a counteractive manner on the network control module.
The invention discloses a method for realizing the identity authentication and access management of a workshop-level industrial control system in the tobacco industry, which comprises the following steps:
the method comprises the following steps: comprehensive identity of personnel, applications and equipment in a workshop: the method for comprehensively identifying the personnel, the application and the equipment in the workshop comprises the following steps: establishing a uniform identity authentication mechanism, distributing corresponding identity codes to personnel, applications and equipment, and establishing initial trust;
step two: the identity, the access environment, the access content and the access behavior data of an 'visitor' are continuously collected and monitored in the modes of environment perception, multi-factor authentication, security audit and flow monitoring;
step three: processing the collected data and scoring trust;
step four: setting an access strategy and an access authority according to the trust score, or manually setting the access strategy and the access authority;
step five: and controlling the flow according to the access policy.
As shown in FIG. 3, the trust evaluation module:
s1: acquiring identity authentication data of a user from a third-party integrated module of an access terminal, such as environment perception, multi-factor authentication and the like, wherein the identity authentication data comprises equipment detection data and user detection data; when a user accesses for the first time, behavior monitoring data are not generated, and the behavior monitoring data are set to initial values;
s2: carrying out data cleaning on the received data, and keeping key information such as an IP address, a certificate, a user fingerprint and the like as the calculation input of the next step;
s3: calculating a system threat probability P by using a Bayesian network;
s4: and setting the evaluation score cardinality J to be 0-100 points, and multiplying the system threat probability P by the evaluation score cardinality J to obtain an evaluation score F-J-P.
The dynamic access control module:
s10: receiving a trust score from a trust evaluation module;
s20: setting threshold values Wr, Ww, Wx … (Wr < Ww < Wx …);
s30: comparing the trust score with Wx, if the trust score is greater than Wx, giving all the authorities of the accessed content to the 'accessor', wherein all the authorities have operations which can influence the original system, such as deletion, execution and the like of files, and otherwise, comparing the trust score with Ww; if the trust score is greater than Ww, giving the 'visitor' part of the authority of the accessed content, and otherwise, comparing the trust score with Wr; if the trust score is greater than Wr, giving partial authority of the accessed content to an 'accessor', such as viewing and the like, otherwise triggering an access termination condition and producing an access termination strategy;
s40: and carrying out access strategy configuration according to the trust score and the distributed authority, and sending the strategy to a network control module.
The invention discloses a system for realizing identity authentication and access management of a workshop-level industrial control system in the tobacco industry, which adopts a zero trust architecture, integrates the existing safe resources and informationized resources of a workshop, takes a network as a part of environment, comprehensively identifies personnel, application, equipment and the like in the workshop, acquires trust scores from a trust evaluation module based on different types of identities and access environments, sends the scores to a dynamic access control module, generates a related access strategy by the dynamic access control module to act on the network control module, and the network control module is responsible for forwarding flow according to the strategy.
Meanwhile, the trust evaluation module can continuously evaluate the identity, the access environment, the access content and the access behavior of the visitor in the modes of environment perception, multi-factor authentication, security audit, flow monitoring and the like, and when the score is lower than a certain threshold value, the connection of the visitor is cut off and re-authentication is prompted to be carried out, so that an access control closed loop is formed.
And carrying out trust scoring by taking the identity, the access environment and the access content as an 'accessor', generating a dynamic strategy based on the trust scoring, and continuously carrying out access management based on the dynamic strategy.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed.

Claims (10)

1. A system for realizing the identity authentication and the access management of a workshop-level industrial control system in the tobacco industry is characterized by comprising a monitoring module, a trust evaluation module, a dynamic access control module and a network control module which are arranged between an accessor and an application database;
the monitoring module continuously monitors and collects the identity, the access environment, the access content and the access behavior data of the visitor in the modes of environment perception, multi-factor authentication, security audit and flow monitoring;
the trust evaluation module is used for receiving the data collected by the monitoring module, processing the data, scoring trust and sending the score to the dynamic access control module;
the dynamic access control module is used for generating a related access strategy according to the trust score and acting on the network control module;
and the network control module is used for forwarding the flow according to the access strategy and controlling the flow.
2. The system for implementing identity authentication and access management of a tobacco industry workshop-level industrial control system according to claim 1, wherein the monitoring module comprises an environment sensing system, a multi-factor authentication system, a security audit system and a flow monitoring system;
the environment perception system is used for checking the access environment of the visitor;
the multi-factor authentication system is used for authenticating the identity of the user;
the security audit system is used for carrying out security audit on the database and the accessed resources and auditing the access behavior of the user;
the flow monitoring system is used for detecting all the flows in the system.
3. The system for implementing identity authentication and access management of a tobacco industry plant-level industrial control system according to claim 1, wherein traffic transmission in the system is encrypted.
4. A method for realizing the identity authentication and the access management of a workshop-level industrial control system in the tobacco industry is characterized by comprising the following steps:
the method comprises the following steps: comprehensively identifying personnel, applications and equipment in a workshop and establishing initial trust;
step two: acquiring and monitoring the identity, the access environment, the access content and the access behavior data of an 'visitor' in a mode of environment perception, multi-factor authentication, security audit and flow monitoring;
step three: processing the collected data and scoring trust;
step four: setting an access strategy and authority according to the trust score;
step five: and controlling the flow according to the access policy.
5. The method for realizing the identity authentication and the access management of the tobacco industry workshop-level industrial control system according to claim 4, wherein the flow is controlled by continuously acquiring and evaluating data of an 'accessor' in the modes of environment perception, multi-factor authentication, security audit and flow monitoring.
6. The method for implementing identity authentication and access management of the tobacco industry workshop-level industrial control system according to claim 4, wherein in the fourth step, the access policy and authority are manually set.
7. The method for realizing the identity authentication and the access management of the tobacco industry workshop-level industrial control system according to claim 4, wherein in the step one, the method for comprehensively identifying the personnel, the application and the equipment in the workshop comprises the following steps: and establishing a uniform identity authentication mechanism, and distributing corresponding identity codes to personnel, applications and equipment.
8. The method for implementing identity authentication and access management of the tobacco industry plant-level industrial control system according to claim 4, wherein the third step specifically comprises:
s1: receiving user identity authentication data and behavior monitoring data which are obtained from environment perception, multi-factor authentication, security audit and flow monitoring of an access terminal;
s2: carrying out data cleaning on the received data, and keeping the IP address, the certificate and the key information of the user fingerprint as the next calculation input;
s3: calculating a system threat probability P by using a Bayesian network;
s4: and setting the evaluation score cardinality J to be 0 to 100 points, and multiplying the system threat probability P by the evaluation score cardinality J to obtain an evaluation score F, J and P.
9. The method for implementing identity authentication and access management of the tobacco industry plant-level industrial control system according to claim 8, wherein when a user accesses for the first time, no behavior monitoring data is generated, and the behavior monitoring data is set to an initial value.
10. The method for implementing identity authentication and access management of the tobacco industry plant-level industrial control system according to claim 4, wherein the fourth step specifically comprises:
s10: receiving a trust score;
s20: setting threshold values Wr, Ww, Wx … (Wr < Ww < Wx …);
s30: comparing the trust score with Wx; if the trust score > Wx, then the permissions to access the content are all granted to "visitor"; otherwise, comparing the trust score with the Ww; if the trust score > Ww, then the partial right to access the content is given to "visitor"; otherwise, comparing the trust score with Wr; if the trust score > Wr, then the partial right to access the content is given to the 'visitor'; otherwise, triggering a termination access condition and producing a termination access strategy;
s40: and carrying out access strategy configuration according to the trust score and the distributed authority, and sending the strategy to a network control module.
CN202111293147.0A 2021-11-03 2021-11-03 System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry Pending CN114021109A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111293147.0A CN114021109A (en) 2021-11-03 2021-11-03 System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111293147.0A CN114021109A (en) 2021-11-03 2021-11-03 System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry

Publications (1)

Publication Number Publication Date
CN114021109A true CN114021109A (en) 2022-02-08

Family

ID=80060313

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111293147.0A Pending CN114021109A (en) 2021-11-03 2021-11-03 System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry

Country Status (1)

Country Link
CN (1) CN114021109A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598540A (en) * 2022-03-18 2022-06-07 北京启明星辰信息安全技术有限公司 Access control system, method, device and storage medium
CN115361186A (en) * 2022-08-11 2022-11-18 哈尔滨工业大学(威海) Zero trust network architecture for industrial internet platform
CN115378625A (en) * 2022-04-21 2022-11-22 国家计算机网络与信息安全管理中心 Cross-network information security interaction method and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598540A (en) * 2022-03-18 2022-06-07 北京启明星辰信息安全技术有限公司 Access control system, method, device and storage medium
CN114598540B (en) * 2022-03-18 2024-03-15 北京启明星辰信息安全技术有限公司 Access control system, method, device and storage medium
CN115378625A (en) * 2022-04-21 2022-11-22 国家计算机网络与信息安全管理中心 Cross-network information security interaction method and system
CN115378625B (en) * 2022-04-21 2024-03-08 国家计算机网络与信息安全管理中心 Cross-network information security interaction method and system
CN115361186A (en) * 2022-08-11 2022-11-18 哈尔滨工业大学(威海) Zero trust network architecture for industrial internet platform
CN115361186B (en) * 2022-08-11 2024-04-19 哈尔滨工业大学(威海) Zero trust network architecture for industrial Internet platform

Similar Documents

Publication Publication Date Title
CN114021109A (en) System and method for realizing identity authentication and access management of workshop-level industrial control system in tobacco industry
CN111935165B (en) Access control method, device, electronic device and medium
CN110957025A (en) Medical health information safety management system
CN111917714B (en) Zero trust architecture system and use method thereof
CN116545731A (en) Zero-trust network access control method and system based on time window dynamic switching
CN107819771A (en) A kind of Information Security Risk Assessment Methods and system based on assets dependence
US20130042298A1 (en) System and method for generating trust among data network users
CN112966245A (en) Power grid information system access control method and system based on information measurement
CN113536258A (en) Terminal access control method and device, storage medium and electronic equipment
JP2019527417A (en) System and method for providing a secure data monitoring system executed in a factory or plant
CN112182519A (en) Computer storage system security access method and access system
CN106657011A (en) Business server authorized secure access method
CN115987697B (en) Multi-level information data sharing method and system based on event subscription mechanism
CN110543761A (en) big data analysis method applied to information security field
CN111835732A (en) Remote access security management system
CN102571874B (en) On-line audit method and device in distributed system
CN116248277A (en) Zero-trust security processing method and system for authentication encryption of Internet of things equipment
CN115130122A (en) Big data security protection method and system
CN114117264A (en) Illegal website identification method, device, equipment and storage medium based on block chain
CN116455668A (en) User trust measurement method and system in zero trust network environment
CN110708156B (en) Communication method, client and server
CN116418568A (en) Data security access control method, system and storage medium based on dynamic trust evaluation
CN112199700B (en) Safety management method and system for MES data system
CN117938502A (en) Processing system and method for network security event
CN113364744A (en) Method and system for detecting domain user login authentication abnormity based on windows log

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Li Mincheng

Inventor after: Xu Qiang

Inventor after: Gao Jinzhou

Inventor after: Zhang Zhenkai

Inventor after: Mao Yanlin

Inventor after: Chen Huipin

Inventor before: Li Mincheng

Inventor before: Xu Qiang

Inventor before: Gao Jinzhou

Inventor before: Zhang Zhenkai

Inventor before: Mao Yanlin

Inventor before: Zhang Huipin

CB03 Change of inventor or designer information