| CPC H04L 63/20 (2013.01) [G16Y 40/10 (2020.01); G16Y 40/50 (2020.01)] | 6 Claims |
|
1. A method for implementing a dynamic trusted edge gateway for industrial terminals based on classification and hierarchical management, the dynamic trusted edge gateway comprising:
an information collection module;
a local cache module;
an identity collaboration module;
a multi-point deployment support module;
a security event log collaboration module;
a trust evaluation result receiving module; and
a security policy execution module;
the information collection module being configured to establish a connection with the industrial terminals, collect a multi-dimension information of the industrial terminals, and transmit the multi-dimension information to the local cache module and the trust evaluation result receiving module; and the multi-dimension information comprising internet of things (IoT) connectivity status, embedded operating system version, application software version, software license validity period, hardware configuration information, hardware version, network address and communication protocol;
the security event log collaboration module being configured to perform information exchange and event sharing with an industrial control security device and an industrial IoT security device to obtain an exchanged information, and transmit the exchanged information to the trust evaluation result receiving module, so as to evaluate a trust degree and a security degree of the industrial control security device and the industrial IoT security device;
the identity collaboration module being configured to interact with a cloud control center to obtain a classification and hierarchical information of the industrial terminals and synchronously update the classification and hierarchical information to the trust evaluation result receiving module;
the multi-point deployment support module being configured to interact with the cloud control center, and enable interaction and information synchronization in a case that a plurality of dynamic trusted edge gateways are deployed, so as to allow the plurality of dynamic trusted edge gateways to work collaboratively and maintain the multi-dimension information and a security policy;
the local cache module being configured to receive the multi-dimension information collected by the information collection module, and store a predetermined classification and hierarchical information; and the predetermined classification and hierarchical information comprising security level, authorized access scope, and trust score of each of the industrial terminals;
the trust evaluation result receiving module being configured to report the trust score of each of the industrial terminals to the cloud control center, and receive an updated dynamic trust result from the cloud control center, so as to achieve dynamic authorization management of the industrial terminals; and the cloud control center being configured to determine whether a real-time trust score of each of the industrial terminals is within a security range, and update a trust credential and an access control level of each of the industrial terminals to obtain and transmit the updated dynamic trust result to the trust evaluation result receiving module; and
the security policy execution module being configured to execute a security policy; and the security policy comprising access control, traffic monitoring and security event response of the industrial terminals, and being configured to perform access authorization for the industrial terminals based on updated multi-dimension information and an authorization policy, monitor behavior and traffic of the industrial terminals, and respond to security events of the industrial terminals; and
the method comprising:
(S1) performing classification and hierarchical management on the industrial terminals based on a preset classification and hierarchical template, wherein the preset classification and hierarchical template comprises static identity factor-based classification and security level-based hierarchical management;
(S2) actively establishing, by the information collection module, a connection with the industrial terminals; and collecting, by the information collection module, multi-dimension information of the industrial terminals;
(S3) obtaining, by the identity collaboration module, the classification and hierarchical information from the cloud control center and a trusted access to an application resource of an industrial cloud platform; performing, by the identity collaboration module, synchronous access authorization for the industrial terminals; establishing, by the identity collaboration module, a communication connection with the industrial cloud platform or a security proxy of the industrial cloud platform;
(S4) monitoring and obtaining, by the information collection module, a dynamic information of the industrial terminals in real time; performing, by the information collection module, comprehensive assignment on the dynamic information of the industrial terminals to obtain an initial comprehensive trust score; generating, by the trust evaluation result receiving module, a final comprehensive trust score of each of the industrial terminals based on the initial comprehensive trust score and a security event log from the industrial control security device and the industrial IoT security device; and uploading, by the identity collaboration module, the final comprehensive trust score to the cloud control center; and
(S5) determining, by the cloud control center, whether the final comprehensive trust score of each of the industrial terminals is within the security range based on a trust score range, wherein the trust score range is determined by class and grade of each of the industrial terminals; updating, by the cloud control center, the trust credential and the access control level of each of the industrial terminals; and transmitting, by the cloud control center, the updated dynamic trust result to the identity collaboration module and the security policy execution module, so as to achieve dynamic edge trust control.
|