The industrial Internet platform is the core element of the industrial Internet system. The essence of connecting devices and applications on the platform is to overlay the Internet of things, big data, artificial intelligence and other emerging technologies on the basis of the traditional cloud platform. At present, the security threats of industrial Internet platform are complex and diverse. The security coefficient of industrial Internet platform is low, and there are many problems such as large attack area and diversified attack means. The network security, access security of equipment and control, application security and data security of the platform are facing great challenges. According to the survey data of China Industrial Internet industry alliance, in 2019, more than 60% of the mainstream industrial Internet platforms will encounter network security attacks, mainly virus attacks, DDoS attacks and database injection attacks.
At present, the security threats faced by China’s industrial Internet platform can be divided into several aspects
One is network security. Due to the fuzzy network boundary of cloud computing, the network security technology based on the boundary is not applicable, and the security authentication mechanism, access control means and other security protection efforts are insufficient. The network is vulnerable to apt attack and denial of service attack by hackers, which leads to the privacy data leakage between the Office intranet, factory intranet and Intranet, identity resolution system, edge computing devices and other channels Dew.
Second, access security. The security protection ability of edge computing is weak. If the virtualization technology is insufficient, the upper system will face huge security risks. When the device is connected to the industrial Internet platform, if it does not use password means for identity authentication, it can not ensure that the data comes from the real device. At the same time, it also needs to identify and control the access of operation and maintenance users and industrial app.
Third, data security. Industrial Internet platform collects and processes a large number of sensitive data and privacy data. The whole life process of data collection, transmission, storage, exchange, processing, use and destruction is facing the threat of eavesdropping and tampering.
In view of the above security problems, the traditional security technology has been unable to meet the needs of industrial Internet platform. Cryptographic technology is the core technology and basic support to protect network security. It can achieve access authentication, identity authentication, access control, communication security, and data authenticity, confidentiality and integrity protection of industrial Internet platform by using commercial cryptographic algorithms, cryptographic hardware products, cryptographic software modules, cryptographic services, trusted computing and other means In order to ensure the fundamental security of the industrial Internet platform, we need to build an overall password application system of defense in depth.
Typical password application of industrial Internet platform
Through the password application in network and communication, equipment and computing, application and data of industrial Internet platform, build a cloud security system with password as the core. The cryptographic applications of industrial Internet platform mainly include cryptographic infrastructure, general cryptographic services, cryptographic management and cryptographic applications of edge layer, IAAs layer, PAAS layer and SaaS layer.
The cryptographic infrastructure layer is the basic support for the cryptographic application of industrial Internet platform. The industrial Internet cloud cryptographic service resource pool is a cryptographic hardware resource pool constructed by using cloud cryptographic devices, which supports virtual deployment. That is to say, on the basis of multiple physical cryptographic devices, the cloud becomes a cryptographic resource pool, uniformly manages the cryptographic resource cluster, provides cryptographic computing resources and storage resources services to applications on demand, and provides encryption and decryption and signature verification based on SM2 / 3 / 4 / 9 The cryptographic function of cryptographic hash algorithm can improve the utilization of resources at the same time.
General cryptographic services include digital certificate system, key management system, random number generator and time stamp. The digital certificate system provides the password security service of Ca and RA; the key management system is responsible for the management of the whole life cycle of the key; the random number generator generates the random number of a specific length according to the setting of the cryptographic algorithm; the time stamp is the data generated by the digital signature technology, which can verify whether the data has been tampered after it is generated. General cryptographic service is mainly to facilitate the call of typical cryptographic applications in IAAs, PAAS and SaaS layers.
Password management is mainly the management of password service, key and access control. The cloud password service system is located in the hardware environment of the cloud. Users can only log in to the cloud password service management interface through remote management. In terms of key management, due to the large number of users, large amount and variety of data in industrial Internet platform, different users and types of data need different keys. According to different levels of security requirements, multi-level key isolation mechanism is provided. Access control is the key to the access of cloud cryptographic services. It provides multiple modes of access control by integrating certificate authentication, OAuth authentication, openid and other authentication forms.
In the edge layer, through the deployment of SSL VPN and IPSec VPN Security Gateway, the security authentication of the communication network is carried out to realize the access authentication of the device and the identity authentication of the user. At the same time, the confidentiality and integrity of the data collected and processed by the edge are protected to prevent the leakage or unauthorized tampering of sensitive data.
In the IAAs layer, the service forms generally include computing resources, storage resources, network resources, etc. the resources rented by the tenant are relatively independent, and have nothing to do with the specific business data. Therefore, the password application in the IAAs layer mainly focuses on the encryption protection of the tenant’s data and virtual machine image, as well as the user’s identity authentication.
In the PAAS layer, the common services include database service, object storage service, map service, E-contract, etc. according to the password application requirements of the application scenario, each tenant can use the cloud password access middleware for on-demand docking, mainly for data encryption and decryption, security authentication, authorization management, collaborative signature and other password applications.
In SaaS layer, the requirements of password application can be summarized as user secure access, identity authentication, key business non repudiation and secure storage of industrial sensitive data. For example, in sensitive industrial applications, encryption technology should be used to provide data original evidence and data receiving evidence, so as to realize the non repudiation of data original behavior and data receiving behavior.
How to develop password application on industrial Internet platform
At present, China’s industrial Internet platform is in the stage of development and construction, while the password application of industrial Internet platform is still in the slow initial stage, especially the low utilization rate of domestic passwords, the few types of password products suitable for industrial Internet platform in the market, and the lack of customized industrial Internet password service. Therefore, in order to fundamentally guarantee the security of industrial Internet platform and lay out commercial password application, the author puts forward the following suggestions:
Strengthen the supervision and investment of industrial Internet Password application. The state should focus on the security needs of industrial Internet platform, continue to increase support for password application of industrial Internet platform, and strive to promote password application of industrial Internet platform from special support, pilot demonstration and other aspects. The State shall supervise enterprises to give priority to the deployment of commercial cipher algorithms, products and services in the construction of industrial Internet platforms, and conduct security assessment of commercial cipher applications, so as to ensure the compliance and effectiveness of cipher applications on industrial Internet platforms.
Establish a perfect industrial Internet Password standard system. At present, there are few industrial Internet security related standards in China, and the industrial Internet Password related standards are extremely scarce. In order to promote the development of industrial Internet industry in an orderly way, China should speed up the establishment of interdisciplinary organizations including industrial enterprises, commercial password enterprises and research institutions, formulate technical standards and industry standards related to industrial Internet Password application, promote password application in intelligent manufacturing, energy and other industries, and encourage the development of effective group standards.
Strengthen the technical research of industrial Internet Password application. Industrial Internet platform puts forward higher requirements for virtualization, data format preserving encryption, homomorphic encryption, lightweight cryptography and other technologies. Relevant enterprises and scientific research institutions should strengthen the research and implementation of the above cryptography technologies. In order to adapt to the password application in the cloud environment, password enterprises need to develop password products compatible with the industrial Internet platform, provide integrated industrial Internet platform password service, and build password security situation awareness platform to enhance the perception of password application security from the overall perspective.