Creat a Dynamic and Enpowered

Industrial IoT Security System in

the Intelligent Age

Li Zhuanqin

Venustech Group

March 2017

Translated by ECV

A Book

Discussion

Outline

I. Security Situations in Smart Times

II. New Security System for Dynamically-

enabling IIOT

III. Originality Spirit in New System

①

Security

Situations in

Smart Times

www.rapidbbs.cn

What is IIOT?

IIOT applications

Network-based

cooperation

Development

simulation

Big-data

processing

Industrial

cloud platform

External networks of factory

(the Internet/mobile network and special

network)

Upstream and

downstream

enterprises

Intelligent

products Intelligent

factory

Factory control system

Intelligent

machine

Intelligent

machine

Intelligent

machine

Goods-in-process

Intelligent

production

Service-oriented

transformation

Personalized

customization

Factory cloud platform (and management

software)

Industrial Development in Smart Times

Intelligent

factory

Digitalized

factory

LG CNS

BOSCH

Ind

ust

ria

l

4.0

Haier

Ma

de

in C

hin

a

20

25

IIOT

Sany Heavy

Industry Midea

Smart Times and Industrial Control System

Intelligent

manufacturing

Industrial

big-data

Industrial cloud

IIOT Internet of

Things (IoT)

Security Threat on Industrial Control in Smart Times

Industrial

cloud

security

IIOT

Security

Industrial data

security

Security vulnerabilities

and viruses of

industrial control

system

1. Authentication

issue

2. Account hijack

3. Virtual machine

escape

4. System

vulnerabilities

5. Malicious internal

attacks

6. Abuse of cloud

service

7. Denial of service

attack

8. ….

The application of IIOT realizes the

seamless connection between the

industrial control system and the

Internet, and also brings new

security issues:

1. When industrial control systems

are exposed to the Internet, some

“men of intention” may search for

industrial control systems;

2. Different types of unknown

attacks from the Internet may do

harm to the industrial control

systems at any time.

1. Data storage security

2. Data transmission security

3. Data use security

4. Security of industrial big-

data platforms

5. Security of relevant

business secret data

1. Malicious use of known

vulnerabilities

2. Constant emergence of

Oday vulnerabilities

3. Explosion of different

types of new vulnerabilities

4. New Trojans and viruses

Security Situations of Industrial Control —

Two Reports of Gartner

2015

Market Trends: Industrial Control System

Security

•Threats could be highly visualized to learn the

development of driver OT security.

•Highly-professional products are required in the

market to settle the problems of special protocols of

special systems.

•Though ICS security could be realized at different

technical levels, security devices at network level

are most important.

2016

Market Guide for Operational

Technology Security

•OT security problems need to be settled jointly by

IT and OT departments

•OT security products have been evolving from the

flexibility and protection security demands

proposed by IT security and OT liability

•Existing IT security products could not settle OT

security scenarios, particularly the requirements on

safety.

•OT integrating both informatization and industrialization will face higher risks, with energy and

public service enterprises being the first to be affected

•By 2020, the investment in OT security will be doubled due to attacks and adjustments to

corresponding strategies

•4G or wireless network access technologies as well as IPV6 applications will allow more devices to

access the network

•Fast-growing market segments are forming and many IT security products are being transformed into

OT security products

New Features of IIOT

1. Blurred network boundary

2. Gradually blurring between “Security” and “Safty”

3. Increasingly uncertain threats

4. Not a simple confrontation between offense and

defense

1. Security protection shifting from optional to

prerequisite

2. Flexibility

3. Dynamics

4. Sustainability4 Sustainability

②

Dynamically-

Enabling IIOT

New Security

System

www.rapidbbs.cn

Dynamically-enabling

• Dynamically-enabling is a fundamental philosophy that needs to be

implemented when designing the full life circle of network space

information system

• "Dynamically" reflects the collaboration, correlation and flexibility

in protection. Dynamical ‡Automation.

• "Enabling" reflects the value of security in business. When security

capacity is enabled for any objects, corresponding capacity will

increase.

New Security System for Dynamically-enabling

Industrial Control

Ex

terna

l percep

tion

Dynamical perception platform of industrial

network security

Knowledge base of security vulnerabilities and

attack models

Applications of IIOT

Network-based

cooperation

Development

simulation

Big-data

processing

Industrial cloud

platform

IT/OT Unified management on information

security Intern

al p

erceptio

n

Intelligent

products

External networks of factory

(the Internet/mobile network and special network)

Upstream and

downstream

Corporate

Factory cloud platform

(and management software)

Factory control system

Control

system Intelligent

machine

Intelligent

machine

Industrial control

abnormality check

Security

configuration check

Database audit

IT/OT O&M audit

Pro

tection

-ena

blin

g Sensor

IT/OT/ cloud firewall

Intelligent

production

Personalized

customization Service-oriented

transformation

Intelligence

factory

IT/OT

Vulnerability check

Cloud /IT

intrusion check

IT/OT Gatekeeper

(Date exchange platform)

IT/OT intrusion

prevention Anti-Virus

Load balance

Terminal / Operation

station

Wireless security

protection

Data security protection Internet behavior

management

Equipment Type -> Terminal-side Security

Operating system

SOC/FPGA/MCU

architecture

Restricted

resources

Abundant resources,

regulated system

easy for adaptation

Provide regulated interfaces,

and complete security logic

build-in before delivery

(hardware programing)

Provide lightweight Agent

and realize authentication

and encryption

Provide powerful clients,

to realize terminal security

and authentication

The above three devices, except for software support, may also integrate reliable chips into system to realize

high-level authentication security.

E.g., Protection devices enabling business security

Enable the administrator to easily master the information on industrial control network

flow

Display industrial assets, industrial control protocols, protection rules and intrusion events

in one page

Visibility

Flexibility

Multi-dimensional flexibility engine settles the fragmented and long-period

industrial control network problems

One entrance for four aspects, i.e., protocol rules, intelligence rules, intrusion

characteristics and preset scenario

Intelligence

It is not required to learn business flow since intelligent customization of industrial

protection rules could be realized

In-depth flow self-learning ->Automatic parameter aggregation ->One-button

generation of intelligent protection rules

Collaboration

Fully integration into business security, and bidirectional interaction of industrial firewall

and application system, collaboratively removing the threat of industrial control security

Interface of industrial firewall supply and centralized management system +SOC

platform+ user business platform

Dynamical Perception Platform of Industrial

Network Security

③

Originality

Spirit

Supporting the

New System

www.rapidbbs.cn

Three Stages Corresponding to the Two

Steps of Intelligent Manufacturing Plan

By 2020, the development foundation and

support ing capaci ty of intel l igent

manufacturing will be strengthened

s i g n i f i c a n t l y , a n d d i g i t a l i z e d

manufacturing will be basically realized in

the key fields of traditional manufacturing.

By 2025, the supporting system of

intelligent manufacturing will be basically

established, and intelligent transformation

will be preliminarily realized for key

industries.

Stage II

Opening for collaboration, jointly

establishing a platform for timely sharing

of threat information

Stage III

Integrating data, connecting the bottom and

cloud of IIOT and establishing a new security

guarantee system

Stage I

Based on current situations, solving existing

security problems of industrial networks

Four Core Originality Spirits Supporting

the New System

Constant study on

vulnerability attack

and defense

Boundary protection

Terminal protection

Monitoring and scanning

technologies

Log collection

Consummation of large-

scale industrial applications

Vulnerabilities of intelligent

device, e.g., sensor

PLC and DCS system vulnerabilities

Security of source codes and mobile

Internet

APT attack and defense, Honeypot

Vulnerabilities of host and server

virtualization systems

Fully-refined technical

protection framework

Electrical SCADA and

DCS

Rail traffic

Petroleum refining ....

Open collaborative

platform

Originality 1- Detecting the Vulnerabilities of

Industrial Control System

Security vulnerabilities of industrial control software: industrial control software such as

Siemens WinCC, WellinTech KingView, GE iFix and ICONICS GENESIS32 has the

vulnerabilities such as buffer overflow, denial of service, permission and access control.

CNVD collects the vulnerabilties such as remote denial of service and password leakage of

well-known PLCs like Siemens S7-1200 and Schneider Quantum PLCs

Case Study on the Security of IoT

An intelligent camera has information leakage and the login steers clear of

vulnerability detection and verification

Verification of information leakage

vulnerabilities—APP for Android

NMAP scanning results —23 ports of the

cameras are opened (telnet) ( l )

Login steers clear of

vulnerability verification

—three modes available

Use telent for login

Check default accounts and passwords;

Confirmed as root after login

Originality 2-Fully refined Technical Protection

Framework

Field

audit

Protection

Intra-domain

abnormality

Monitoring

Boundary

isolation

protection

Unified

security

management

Originality 3- Consummation of Large-scale Industrial

Applications

Operation station, engineer station and server adopt windows system,

basically not requiring patch updating;

The communication between DCS controller and operation station and

engineer station basically does not use the information security measures such

as identity authentication, rule checking, encrypted transmission and

completion checking;

The MES server at production execution level and the OPC server at

supervision and control level lack the dynamic identification of OPC port.

OPC server may allow any OPC client connection for obtaining any data;

The engineer station has high authority and, once connected to the

production network, may perform operation and maintenance on the control

system;

Superfluous network ports are not closed, and the industrial control network

lacks security boundary control during inter-connection;

There are no audit supervision measures external operation and

maintenance.

Originality 4- Open and Collaborative Platform

Automation

integration

manufacturers

Supervision

authorities

Information

security providers

Threat information

monitoring platform

Opinion monitoring

Sandbox technology

Vulnerability scanning

Configuration verification

Virtual execution

Venustech Group Ecological Chain Stock Code-002439

Acquiring and

holding companies

Cloud

security

Ecological

chain

Physical

security

Let’s discuss together!

Meng Yahui 13910158620 (WeChat)

Meng_yahui@venusgroup.com.cn