1、 The national policy system of industrial Internet has been developing continuously

In June 2018, the Ministry of industry and information technology issued the industrial Internet development action plan (2018-2020)

By the end of 2020, the industrial Internet infrastructure and industrial system will be preliminarily completed, and the actions to enhance the level of security will be clearly put forward in the eight actions of key tasks.

In July 2019, ten departments issued the guidance notice on strengthening industrial Internet security

Article 8 refers to strengthening platform and industrial application (APP) security. The construction and operation units of the industrial Internet platform are required to carry out the platform construction in accordance with relevant standards, conduct safety assessment before the platform goes online, and establish and improve the safety detection mechanism before the application of industrial app.

Article 14 mentioned: build a safety evaluation system for industrial Internet equipment, networks, platforms and industrial apps, and continuously carry out safety capability evaluation services for industrial Internet enterprises relying on third-party institutions such as industrial alliances and industry associations.

Article 15 refers to encouraging and supporting professional institutions and network security enterprises to provide services such as security diagnosis and evaluation, security consultation, data protection, code inspection, system reinforcement, cloud protection, etc.

Article 16 refers to strengthening the research and development of security products such as attack protection, vulnerability mining and situational awareness. Support the gathering of social forces through innovative methods such as public testing and research to improve the technical ability of vulnerability detection.

In March 2020, the Ministry of industry and information technology issued the notice on promoting the accelerated development of industrial Internet

The notice clearly proposes to improve the safety technology monitoring system and carry out detection and Analysis on more than 100 industrial apps to enhance the safety of apps. Improve the safety inspection and detection mechanism, regularly carry out inspection and detection on key platforms, industrial enterprises and industrial apps, guide and serve enterprises to investigate potential safety hazards, make safety rectification in time, and improve the safety protection level of enterprises.

2、 Hidden dangers of industrial Internet Security continue to appear

Due to the rapid development of industrial Internet, more and more new security risks and attack surfaces are exposed to the Internet or intranet. With the emergence of the scenario of cloud and data interoperability in business, while enjoying the benefits of cost saving and efficiency improvement brought by interconnection, we also need to be able to identify potential security risks. In a series of government announcements on industrial Internet, many departments of the state also put forward guidance on the security construction of industrial Internet.

In addition to the traditional industrial control safety field, there are three kinds of hidden dangers that may lead to industrial production safety:

1. Security of industrial edge equipment: such as the security of industrial router, gateway and DTU. This kind of equipment belongs to the core edge node in the deployment position. In terms of function, it should meet both edge computing and data transceiver. It is an important part of industrial production security and operation security. However, generally, industrial edge devices do not have a complete set of regular security detection mechanism and security monitoring mechanism. Hackers can affect the production process by attacking industrial edge devices or launch larger-scale industrial intranet attacks by invading edge devices.

2. Security of industrial Internet cloud platform: as enterprises go on cloud platforms one after another, whether it is a third-party public cloud platform or a private cloud platform established by enterprises themselves, they are facing the risk of hacker attacks from the field of web security. As a PAAS service, industrial Internet cloud platform provides management and operation for industrial equipment and production business. At the same time, it is also a web application exposed on the Internet. It may face network attacks such as brute force cracking, SQL injection and DDoS at any time. However, industrial enterprises generally know little about cloud security and web security and are unable to evaluate the security and robustness of their own business.

3. Security of industrial app: Industrial app brings great management convenience to industrial Internet scene in terms of business development, and basically realizes the management of industrial equipment, cloud platform, business process, common data analysis, fault alarm, after-sales maintenance and other daily management functions. While meeting the management functions, industrial app itself also involves high-risk red lines such as production privacy data, cloud interface data and business management authority of many types of enterprises. Once a security accident occurs, there may be malicious consequences such as sensitive data leakage and tampering with production security processes.

Based on the above three security dimensions and relevant national policy requirements, qinglianyun launched the IOT security detection platform: tinyscan. Tinyscan provides end-to-end remote automatic security detection services focusing on industrial edge device security, industrial Internet cloud platform security and industrial app security, and provides standard enterprise API. It can integrate with the internal information system of industrial enterprises, build the production and R & D security monitoring system of industrial Internet enterprises through continuous, regular and effective security detection, and standardize the enterprise security testing process, Help enterprises develop and test safety technology specifications.

3、 Qinglianyun IOT security detection platform product introduction

Platform introduction: in the form of SaaS service, it provides remote automatic security detection services covering device firmware, cloud platform / API and client app, and issues enterprise specific security detection reports that can be downloaded and retested. The standard enterprise API interface helps enterprises realize regular automatic security monitoring. It can also integrate tinyscan’s automatic vulnerability mining capability into the enterprise’s internal security management platform or operation and maintenance platform through API, Help enterprises establish their own security testing process.

The platform contains hundreds of test items, including but not limited to:

• device firmware security detection: software vulnerability detection, component vulnerability detection, CVE vulnerability identification, sensitive information detection, hard coding detection, encryption security detection, authentication security detection, system service detection, remote overflow vulnerability detection, user password detection, etc.

• cloud platform / API security detection: SQL injection detection, XSS detection, remote command execution detection, remote file inclusion detection, directory traversal detection, CSRF detection, identity detection, horizontal permission detection, sensitive file leakage detection, etc

• client app detection: component security detection, arbitrary debugging detection, arbitrary backup detection, encryption detection, file reading and writing detection, system vulnerability detection, authentication security detection, port security detection, malicious code execution detection, etc.

Tinyscan security detection result example (PDF Report Download is supported)

4、 Charging mode

Qinglianyun IOT security detection platform provides two versions: free version and commercial version. Different versions provide different detection capabilities and service capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *