| CPC H04L 63/20 (2013.01) [H04L 63/1408 (2013.01)] | 6 Claims |
|
1. An industrial control system security analysis method comprising:
collecting a communication data packet from a first industrial control system, wherein the communication data packet comprises interactive data transmitted between control devices in the first industrial control system;
extracting network identifiable information from the communication data packet, wherein the network identifiable information identifies at least one of a communication object, a communication rule, and a communication content;
determining whether the network identifiable information matches a pre-created event database;
if the network identifiable information matches the event database, performing the following:
determining that the communication data packet is a malicious data packet;
acquiring security policies of the first industrial control system and a second industrial control system, wherein the security policies include rules for processing a malicious data packet; and
determining a threat coefficient of the communication data packet for the second industrial control system based on the network identifiable information and each of the security policies, wherein the threat coefficient represents a degree of threat of the communication data packet to the second industrial control system;
wherein after acquiring security policies of the first industrial control system and the second industrial control systems respectively, the method further comprises:
determining target control devices having a risk of being attacked by the communication data packet in the OT network according to extracted network identifiable information and the security policies;
determining a threat coefficient of the communication data packet for each target control device respectively according to the network identifiable information;
sending the threat coefficient for each of the target control devices to a manager; and
generating optimization suggestions for optimizing at least one of said acquired security policies according to the network identifiable information after receiving a confirmation instruction sent by the manager according to the threat coefficient for each target control device.
|